- Article
- 9 minutes to read
Azure Active Directory (Azure AD) provides a central place to manage device identities and monitor related event information.
You can access the devices overview by completing these steps:
- Sign in to the Azure portal.
- Go to Azure Active Directory > Devices.
In the devices overview, you can view the number of total devices, stale devices, noncompliant devices, and unmanaged devices. You'll also find links to Intune, Conditional Access, BitLocker keys, and basic monitoring.
Device counts on the overview page don't update in real time. Changes should be reflected every few hours.
From there, you can go to All devices to:
- Identify devices, including:
- Devices that have been joined or registered in Azure AD.
- Devices deployed via Windows Autopilot.
- Printers that use Universal Print.
- Complete device identity management tasks like enable, disable, delete, and manage.
- The management options for Printers and Windows Autopilot are limited in Azure AD. These devices must be managed from their respective admin interfaces.
- Configure your device identity settings.
- Enable or disable enterprise state roaming.
- Review device-related audit logs.
- Download devices.
Tip
Hybrid Azure AD joined Windows 10 or newer devices don't have an owner. If you're looking for a device by owner and don't find it, search by the device ID.
(Video) Microsoft Entra / Azure AD 2 0 Explained with Full DemoIf you see a device that's Hybrid Azure AD joined with a state of Pending in the Registered column, the device has been synchronized from Azure AD connect and is waiting to complete registration from the client. See How to plan your Hybrid Azure AD join implementation. For more information, see Device management frequently asked questions.
For some iOS devices, device names that contain apostrophes can use different characters that look like apostrophes. So searching for such devices is a little tricky. If don't see correct search results, be sure the search string contains the matching apostrophe character.
Manage an Intune device
If you have rights to manage devices in Intune, you can manage devices for which mobile device management is listed as Microsoft Intune. If the device isn't enrolled with Microsoft Intune, the Manage option won't be available.
Enable or disable an Azure AD device
There are two ways to enable or disable devices:
- The toolbar on the All devices page, after you select one or more devices.
- The toolbar, after you drill down for a specific device.
Important
- You must be a Global Administrator, Intune Administrator, or Cloud Device Administrator in Azure AD to enable or disable a device.
- Disabling a device prevents it from authenticating via Azure AD. This prevents it from accessing your Azure AD resources that are protected by device-based Conditional Access and from using Windows Hello for Business credentials.
- Disabling a device revokes the Primary Refresh Token (PRT) and any refresh tokens on the device.
- Printers can't be enabled or disabled in Azure AD.
Delete an Azure AD device
There are two ways to delete a device:
- The toolbar on the All devices page, after you select one or more devices.
- The toolbar, after you drill down for a specific device.
Important
- You must be a Cloud Device Administrator, Intune Administrator, Windows 365 Administrator or Global Administrator in Azure AD to delete a device.
- Printers and Windows Autopilot devices can't be deleted in Azure AD.
- Deleting a device:
- Prevents it from accessing your Azure AD resources.
- Removes all details attached to the device. For example, BitLocker keys for Windows devices.
- Is a nonrecoverable activity. We don't recommended it unless it's required.
If a device is managed by another management authority, like Microsoft Intune, be sure it's wiped or retired before you delete it. See How to manage stale devices before you delete a device.
View or copy a device ID
You can use a device ID to verify the device ID details on the device or to troubleshoot via PowerShell. To access the copy option, select the device.
View or copy BitLocker keys
You can view and copy BitLocker keys to allow users to recover encrypted drives. These keys are available only for Windows devices that are encrypted and store their keys in Azure AD. You can find these keys when you view a device's details by selecting Show Recovery Key. Selecting Show Recovery Key will generate an audit log, which you can find in the KeyManagement category.
To view or copy BitLocker keys, you need to be the owner of the device or have one of these roles:
- Cloud Device Administrator
- Global Administrator
- Helpdesk Administrator
- Intune Service Administrator
- Security Administrator
- Security Reader
Block users from viewing their BitLocker keys (preview)
In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.
To disable/enable self-service BitLocker recovery:
Connect-MgGraph -Scopes Policy.ReadWrite.Authorization$authPolicyUri = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"$body = @{ defaultUserRolePermissions = @{ allowedToReadBitlockerKeysForOwnedDevice = $false #Set this to $true to allow BitLocker self-service recovery }}| ConvertTo-JsonInvoke-MgGraphRequest -Uri $authPolicyUri -Method PATCH -Body $body# Show current policy setting$authPolicy = Invoke-MgGraphRequest -Uri $authPolicyUri$authPolicy.defaultUserRolePermissionsView and filter your devices (preview)
In this preview, you have the ability to infinitely scroll, reorder columns, and select all devices. You can filter the device list by these device attributes:
- Enabled state
- Compliant state
- Join type (Azure AD joined, Hybrid Azure AD joined, Azure AD registered)
- Activity timestamp
- OS
- Device type (printer, secure VM, shared device, registered device)
- MDM
- Extension attributes
- Administrative unit
- Owner
To enable the preview in the All devices view:
- Sign in to the Azure portal.
- Go to Azure Active Directory > Devices > All devices.
- Select the Preview features button.
- Turn on the toggle that says Enhanced devices list experience. Select Apply.
- Refresh your browser.
You can now experience the enhanced All devices view.
Download devices
Global readers, Cloud Device Administrators, Intune Administrators, and Global Administrators can use the Download devices option to export a CSV file that lists devices. You can apply filters to determine which devices to list. If you don't apply any filters, all devices will be listed. An export task might run for as long as an hour, depending on your selections. If the export task exceeds 1 hour, it fails, and no file is output.
The exported list includes these device identity attributes:
accountEnabled, approximateLastLogonTimeStamp, deviceOSType, deviceOSVersion, deviceTrustType, dirSyncEnabled, displayName, isCompliant, isManaged, lastDirSyncTime, objectId, profileType, registeredOwners, systemLabels, registrationTime, mdmDisplayName
Configure device settings
If you want to manage device identities by using the Azure portal, the devices need to be either registered or joined to Azure AD. As an administrator, you can control the process of registering and joining devices by configuring the following device settings.
You must be assigned one of the following roles to view or manage device settings in the Azure portal:
- Global Administrator
- Cloud Device Administrator
- Global Reader
- Directory Reader
Users may join devices to Azure AD: This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is All.
Note
The Users may join devices to Azure AD setting is applicable only to Azure AD join on Windows 10 or newer. This setting doesn't apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure, or Azure AD joined devices that use Windows Autopilot self-deployment mode because these methods work in a userless context.
Additional local administrators on Azure AD joined devices: This setting allows you to select the users who are granted local administrator rights on a device. These users are added to the Device Administrators role in Azure AD. Global Administrators in Azure AD and device owners are granted local administrator rights by default.This option is a premium edition capability available through products like Azure AD Premium and Enterprise Mobility + Security.
Users may register their devices with Azure AD: You need to configure this setting to allow users to register Windows 10 or newer personal, iOS, Android, and macOS devices with Azure AD. If you select None, devices aren't allowed to register with Azure AD. Enrollment with Microsoft Intune or mobile device management for Microsoft 365 requires registration. If you've configured either of these services, ALL is selected, and NONE is unavailable.
Require Multi-Factor Authentication to register or join devices with Azure AD:
See AlsoTroubleshoot self-service password reset - Azure Active Directory - Microsoft EntraRegister Azure Stack HCI with Azure - Azure Stack HCI- We recommend organizations use the Register or join devices user action in Conditional Access to enforce multifactor authentication. You must configure this toggle to No if you use a Conditional Access policy to require multifactor authentication.
- This setting allows you to specify whether users are required to provide another authentication factor to join or register their devices to Azure AD. The default is No. We recommend that you require multifactor authentication when a device is registered or joined. Before you enable multifactor authentication for this service, you must ensure that multifactor authentication is configured for users that register their devices. For more information on Azure AD Multi-Factor Authentication services, see getting started with Azure AD Multi-Factor Authentication. This setting may not work with third-party identity providers.
Note
The Require Multi-Factor Authentication to register or join devices with Azure AD setting applies to devices that are either Azure AD joined (with some exceptions) or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined devices, Azure AD joined VMs in Azure, or Azure AD joined devices that use Windows Autopilot self-deployment mode.
(Video) Enable Permissions Management in Microsoft EntraMaximum number of devices: This setting enables you to select the maximum number of Azure AD joined or Azure AD registered devices that a user can have in Azure AD. If users reach this limit, they can't add more devices until one or more of the existing devices are removed. The default value is 50. You can increase the value up to 100. If you enter a value above 100, Azure AD will set it to 100. You can also use Unlimited to enforce no limit other than existing quota limits.
Note
The Maximum number of devices setting applies to devices that are either Azure AD joined or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined devices.
Enterprise State Roaming: For information about this setting, see the overview article.
Audit logs
Device activities are visible in the activity logs. These logs include activities triggered by the device registration service and by users:
- Device creation and adding owners/users on the device
- Changes to device settings
- Device operations like deleting or updating a device
The entry point to the auditing data is Audit logs in the Activity section of the Devices page.
The audit log has a default list view that shows:
- The date and time of the occurrence.
- The targets.
- The initiator/actor of an activity.
- The activity.
You can customize the list view by selecting Columns in the toolbar:
To reduce the reported data to a level that works for you, you can filter it by using these fields:
- Category
- Activity Resource Type
- Activity
- Date Range
- Target
- Initiated By (Actor)
You can also search for specific entries.
Next steps
- How to manage stale devices in Azure AD
- Troubleshoot pending device state
FAQs
Which feature in Azure AD allows you to restrict access to devices and applications based on predefined rules? ›
Conditional access is the tool used by Azure AD to bring together signals, make decisions, and enforce organizational policies.
What are the two options to get device under control of Azure AD? ›- Azure AD registration.
- Azure AD join.
- Hybrid Azure AD join.
You can configure Azure AD join for all Windows 11 and Windows 10 devices except for Home editions.
How do I manage all devices? ›Review devices
Go to your Google Account. On the left navigation panel, select Security . On the Your devices panel, select Manage all devices.
- Open the Google Admin app .
- When prompted, enter your Google Account PIN.
- If necessary, switch to your administrator account: Tap Menu Down Arrow. to choose another account.
- Tap Menu. Devices.
- Tap the device or user.
- Tap Approve Approve. Or, next to the device name, tap More Approve device.
Here are some of the key features of Privileged Identity Management: Provide just-in-time privileged access to Azure AD and Azure resources.
Which option enables user authentication directly in Azure Active Directory Azure AD without the involvement of on-premises components? ›With cloud authentication, you can choose from two options: Azure AD password hash synchronization. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any additional infrastructure.
What are two Azure management tools that you can use to manage the settings of a web app from an Iphone? ›- Azure Portal.
- Azure Powershell.
- Azure Command-line (CLI)
- Azure Cloud Shell.
- Azure Resource Manager.
- Azure Advisor.
In the Azure Active Directory pane, click Devices. In the Devices pane, click Device settings. Select Selected or None instead of All for the Users may join devices to Azure AD option.
What are the two types of authentication Microsoft Azure Active Directory uses? ›| Method | Primary authentication | Secondary authentication |
|---|---|---|
| Microsoft Authenticator app | Yes | MFA and SSPR |
| FIDO2 security key | Yes | MFA |
| Certificate-based authentication (preview) | Yes | No |
| OATH hardware tokens (preview) | No | MFA and SSPR |
What are the two basic users types in Azure AD? ›
Guest account - A guest account can only be a Microsoft account or an Azure AD user that can be used to share administration responsibilities such as managing a tenant. Consumer account - A consumer account is used by a user of the applications you've registered with Azure AD B2C.
How many devices can a user register in Azure AD? ›The Azure Maximum number of devices per user setting is set to 20.
How many devices can a user have in Azure? ›The default value of the Maximum number of devices setting is 50. But the recommended value as per the Microsoft portal is 20! You can increase the value up to 100. If you enter a value above 100, Azure AD will set it to 100.
What is Azure Active Directory devices? ›The goal of Azure AD registered - also known as Workplace joined - devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization's resources using a personal device.
How are devices registered in Azure AD? ›The most common way Azure AD joined devices register is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. The application sends a GET request to the Azure AD OpenID configuration endpoint to discover authorization endpoints.
How do I enable devices on Azure AD? ›If the device was disabled in Azure, the administrator will need to re-enable the device. The admin can go to Azure Active Directory > Devices > select the checkmark next to the device > Enable in the Azure portal. If the device is deleted in Azure AD, you need to re-register the device.
How do I add a device to Azure Active Directory? ›Open Settings, and then select Accounts. Select Access work or school, and then select Connect. On the Set up a work or school account screen, select Join this device to Azure Active Directory.
How do I enable devices in Azure Active Directory? ›Select Azure Acitive Directory from portal menu. Select Users from the menu on the upcoming page. Select Devices. Select the disabled devices and click Enable button in the ribbon.