🔍 Why Day-7 Matters (Admin Reality)
Most M365 issues reported as:
- “User cannot login”
- “MFA not working”
- “Access denied after password reset”
👉 Root cause = Device state, not user account.
Before Intune, every M365 admin must understand device identity in Entra ID.
🎯 Day-7 Objectives
By end of Day-7, you will be able to:
- Understand device join types
- Identify managed vs unmanaged devices
- Perform real admin tasks on devices
- Troubleshoot device-based access issues
- Prepare for Intune onboarding (Day-8)
🧠 Core Concepts (Very Important)
1️⃣ What is Device Identity in Microsoft 365?
In Microsoft 365:
- Devices are objects in Entra ID
- Each device has:
- Join type
- Owner
- Compliance state
- Last sign-in time
📌 Users authenticate → Devices enforce security
2️⃣ Types of Devices in Entra ID (Must Know)
🔹 Azure AD Registered
- BYOD (personal laptops, mobiles)
- Light trust
- Limited control
📍 Common in:
- Work from home
- Contractors
🔹 Azure AD Joined
- Corporate-owned devices
- Fully cloud-managed
- Best for modern workplaces
📍 Used with:
- Windows 10/11
- Intune (later)
🔹 Hybrid Azure AD Joined
- On-prem AD + Entra ID
- Traditional enterprises
- Gradual cloud migration
📍 Used when:
- AD DS still exists
- GPO + M365 both required
🧪 Hands-On: Device Management Steps
3️⃣ View All Devices in Microsoft 365
Steps:
- Login to Microsoft Entra Admin Center
- Go to Devices
- Click All devices
You can now see:
- Device name
- Join type
- OS
- Owner
- Last activity
📌 Admin Tip:
Unused devices = security risk.
4️⃣ Check Device Join Type
Steps:
- Open any device from list
- Check Join Type
- Registered
- Azure AD Joined
- Hybrid Azure AD Joined
📌 Interview Tip:
Login failures after MFA → often caused by incorrect join type.
5️⃣ Identify Stale / Inactive Devices
Steps:
- Devices → All devices
- Sort by Last activity
- Identify devices inactive for:
- 30 / 60 / 90 days
📌 Why this matters:
- Old devices can still access email
- Compliance risk
- Audit failures
6️⃣ Disable or Delete a Device (Real Admin Task)
🔒 Disable Device (Recommended first)
Steps:
- Select device
- Click Disable
- Confirm
Result:
- Device cannot authenticate
- User access blocked from that device
❌ Delete Device (Careful)
Steps:
- Select device
- Click Delete
⚠ Use only when:
- Device is decommissioned
- User has left organization
7️⃣ Device Ownership & User Mapping
Each device shows:
- Owner
- Registered user
📌 Admin Reality:
One user can have:
- Laptop
- Mobile
- Tablet
All separate device objects
8️⃣ Common Admin Scenarios (Real Life)
Scenario 1:
User password reset done, still login fails
✔ Check:
- Device disabled?
- Device stale?
- Join type mismatch?
Scenario 2:
MFA works on mobile but not laptop
✔ Check:
- Laptop = Registered
- Mobile = Compliant
Scenario 3:
Ex-employee still accessing emails
✔ Check:
- Device not removed
- Shared mailbox access
9️⃣ Security Best Practices (Admin Checklist)
✔ Remove unused devices monthly
✔ Disable devices before deleting users
✔ Monitor join types
✔ Prepare for Intune enrollment
✔ Document device lifecycle
🎯 End of Day-7 Outcome
After Day-7, you can confidently:
✅ Explain device join types
✅ Troubleshoot device login issues
✅ Manage device access
✅ Secure tenant before Intune
✅ Answer interview questions confidently
🔜 Day-8 Preview (Next Day Plan)
Tomorrow, we move into Intune foundations:
🔹 What is Microsoft Intune
🔹 MDM vs MAM
🔹 Device enrollment methods
🔹 Why Intune ≠ SCCM
🔹 Real admin use cases
🧠 Interview Questions You Can Now Answer
- What is Azure AD joined vs registered?
- Why does device identity matter?
- How do you block access from a lost device?
- What causes login issues after MFA?