ASD's Blueprint for Secure Cloud

Device Management

This section describes the design decisions associated with device identities for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

A device identity is an object within Microsoft Entra ID. This device object is similar to users, groups or applications. The device identity gives administrators information for use when making access or configuration decisions. Registering and joining devices to Entra ID gives users seamless sign-on to cloud-based resources.

There are three ways to get a device identity:

  • Entra ID registration.
  • Entra ID join.
  • Hybrid Entra ID join.

Device identities are a prerequisite for scenarios such as device-based Conditional Access policies and Mobile Device Management with Microsoft Intune.

Devices can be:

  • Deleted - Prevents a device from accessing Entra ID resources. Removes all details that are attached to the device, for example, BitLocker keys for Windows devices.
  • Disabled - Prevents a device from successfully authenticating with Entra ID, thereby preventing the device from accessing Entra ID resources that are protected by device-based Conditional Access or using Windows Hello for Business credentials.

Devices can also have their BitLocker keys viewed or copied.

The process of registering and joining devices can be controlled by configuring the following device settings:

  • Users may join devices to Entra ID - This setting enables organisations to select the users who can register their devices as Entra ID joined devices.
  • Users may register their devices with Entra ID - This setting may need to be configured to enable Windows personal, iOS, Android, and macOS devices to be registered with Entra ID.
    • Devices to be Entra ID joined or Entra ID registered require Multi-Factor Authentication (MFA). This should be set to No if using Conditional Access policy to require MFA.
  • Maximum number of devices - This setting enables organisations to select the maximum number of Entra ID joined or Entra ID registered devices that a user can have in Entra ID.

A stale device is a device that has been registered with Entra ID, but has not been used to access any cloud apps for a specific time-frame. This can be used to identify inactive devices and retire them using Endpoint Manager, before disablement and deletion. Deleting an Entra ID device does not remove registration on the client. It will only prevent access to resources using the device as an identity (e.g. Conditional Access).

With Windows 10 and 11, Entra ID users gain the ability to securely synchronise their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device.

Security & Governance

  • None identified



  • None identified


Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra