TheTest.com

Entra ID Enrollment (Azure AD Join)

How to enroll your Mac or Windows device with Microsoft Entra ID for work or school

Microsoft Entra ID (formerly Azure Active Directory) is how many organizations manage identity and device access. When you "join" or "register" your device with Entra ID, your organization can verify your device meets security requirements and give you access to work apps, email, and internal resources. The process differs between Mac and Windows.

On Mac, Entra ID enrollment typically happens through the Company Portal app or automatically during initial device setup if your Mac was pre-configured by IT.

Enrolling through Company Portal:

  1. Download and install Company Portal from the App Store or from your organization's Self Service app
  2. Open Company Portal and sign in with your work or school account
  3. Follow the setup prompts – Company Portal will walk you through allowing device management
  4. When macOS asks you to install a Management Profile, click Allow and enter your Mac password
  5. Complete any additional steps like enabling FileVault encryption if prompted
  6. Once enrollment finishes, Company Portal shows your device as compliant (or tells you what still needs fixing)

If your Mac was set up through Apple Business Manager (IT-configured):

  1. During the initial macOS setup, you'll see a Remote Management screen
  2. Follow the prompts to sign in with your work credentials
  3. The MDM profile installs automatically
  4. After reaching the desktop, open Company Portal if prompted and complete sign-in to register with Entra ID

To verify enrollment:

  1. Open System Settings > General > Device Management to see your management profile
  2. Open Company Portal and check that your device shows as compliant

What gets synced to your organization:

  • Device name, model, serial number, and OS version
  • Encryption status (FileVault on/off)
  • Compliance state (whether your Mac meets IT's security requirements)
  • List of managed apps installed through Company Portal

Your organization does not get access to your personal files, browsing history, personal email, or messages.

Frequently Asked Questions

What's the difference between "Azure AD" and "Entra ID"?

They're the same thing. Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. You'll still see "Azure AD" in some older documentation, settings screens, and IT conversations, but functionally nothing changed.

Will enrolling my device give IT access to my personal files?

No. Entra ID enrollment and Intune device management report device health and compliance information (OS version, encryption status, installed managed apps). They do not give your organization access to personal files, photos, browsing history, or personal email.

Can I remove the Entra ID enrollment later?

Yes. On Windows, go to Settings > Accounts > Access work or school, click your work connection, and select Disconnect. On Mac, open System Settings > General > Device Management and remove the management profile. Be aware that disconnecting will remove access to work apps, email, and resources.

What if enrollment fails or my device shows as "not compliant"?

Check that your OS is up to date, encryption is enabled (FileVault on Mac, BitLocker on Windows), and you have a passcode set. These are the most common compliance requirements. If everything looks correct and it still fails, contact IT – there may be a conditional access policy or MFA issue on their end.

Do I need to be on the company network to enroll?

No. Enrollment works over any internet connection. You'll need to reach Microsoft's login servers and your organization's MDM endpoint, which are accessible from any network. After enrollment, some resources may require VPN or company network access, but the enrollment itself works anywhere.