When unjoining and rejoining Microsoft Entra hybrid devices, it’s crucial to first unenroll from mobile device management (MDM). Failing to do so can lead to misalignment of device properties, removal of policies, and potential access issues to corporate resources. To ensure a seamless experience, always follow the best practice of unenrolling before rejoining.2. **:**
Important Support Tip for Microsoft Entra Hybrid Devices
In the ever-evolving landscape of cloud technology, managing hybrid devices efficiently is crucial. Recently, a significant support tip emerged regarding Microsoft Entra hybrid devices. This advice can enhance device management and user experience.
What’s New?
Microsoft has identified a critical issue affecting hybrid devices during the unjoin and rejoin process. Specifically, this problem arises when devices are not unenrolled from mobile device management (MDM) before being rejoined. This oversight can lead to misalignment of essential device properties.
“Failing to properly manage the unjoin-rejoin process can result in device targeting issues where policies and configurations don’t apply correctly.”
Major Updates and Impacts
When hybrid devices are rejoined without prior unenrollment from MDM, Microsoft Entra generates a new device object. This new object comes with a new object ID while retaining the original device ID. Consequently, this can create significant management challenges.
- Policy Removal: Policies assigned to static groups will be removed, disrupting device functionality.
- Dynamic Group Delays: Policies from dynamic groups may take up to two weeks to reapply, causing potential downtime.
- Conditional Access Issues: Newly created device objects are treated as non-compliant, blocking access to corporate resources.
“Newly created Microsoft Entra device objects are treated as non-compliant by default, meaning users may be blocked from accessing corporate resources.”
Best Practices to Follow
To mitigate these issues, it is advisable to avoid the unjoin and rejoin process altogether. However, if it is necessary, ensure that you unenroll hybrid devices from MDM before proceeding. This practice preserves the integrity of device policies, applications, and settings.
By following this guidance, IT administrators can maintain a smoother re-enrollment process. Ultimately, this will lead to a more stable and reliable user experience.
Conclusion
In conclusion, managing Microsoft Entra hybrid devices requires careful attention to detail. Always remember to unenroll from MDM before unjoining and rejoining devices. This simple step can save time and prevent complications down the road.
From the Intune Customer Success articles