Questions
Are there any notes regarding the operation when using Access Control in conjunction with Microsoft Entra Join?
Answer
When using Access Control in conjunction with Microsoft Entra Join, there are several notes regarding authentication.
Please check the Description for details.
Notes
- The specifications of Access Control in this article are based on the product content as of December 2025 and may change without notice thereafter.
- This article is based on the content verified by our company according to the specifications of Microsoft Entra Join as of January 2025, and does not guarantee reliable operation.
We strongly recommend conducting operational checks in advance when using it in conjunction with Microsoft Entra Join.
Even if the operation does not work as expected, we cannot be held responsible.
Description
What is Microsoft Entra Join?
Microsoft Entra Join (formerly Azure AD Join) is the process of directly joining devices such as Windows 10 / 11 to Microsoft Entra ID (formerly Azure Active Directory).
Traditionally, Windows devices were joined to an Active Directory (AD) domain, but as the use of cloud services increases, cases of joining to the cloud-based ID management system, Microsoft Entra ID, are increasing.
Reference: What is a Microsoft Entra joined device?
What happens when performing Microsoft Entra Join while federated with Access Control in Microsoft 365?
The Access Control authentication screen will not be displayed during Windows sign-in, but authentication will be through Access Control.
During Windows sign-in, Access Control user information (UPN and password) is used.
※ In actual operation, additional settings are required in Access Control. Please refer to this article for details.
If the Access Control password is changed, will the Windows sign-in password also change?
It will change.
However, Windows has a cached logon feature, and once Windows sign-in is successful, it has been confirmed that even if the password is changed in Access Control, sign-in can still be done with the old password.
(It has been confirmed that once signed in with the new password, sign-in with the old password is not possible.)
Reference: FAQ on Microsoft Entra device management
Is direct login possible to Microsoft 365 web apps, Microsoft Teams, and Microsoft Office client applications when using Microsoft Entra Join with Microsoft Edge or Google Chrome with extensions?
It becomes possible.
Direct login to Microsoft 365 web apps, Microsoft Teams, and Microsoft Office client applications is achieved without going through Access Control authentication when using Microsoft Edge or Google Chrome with extensions.
This behavior depends on the technical specifications of Microsoft Entra Join, so please contact Microsoft for details.
What happens if a PIN is set on a Windows device?
If a PIN is set, Access Control user information and authentication are not used during Windows sign-in.
If Access Control user information and authentication are used during Windows sign-in, will logs remain in the Access Control access log?
Legacy authentication (WS-Trust) is used during Windows sign-in.
Logs of legacy authentication (WS-Trust) can be viewed from the Access Control Administration for those after December 1, 2025.
If you want to check logs of sign-ins before the above date or check details, please check the sign-in logs in the Microsoft Entra Admin Center.
Reference: How to plan the implementation of Microsoft Entra Join (external link)
Is it possible to configure authentication using HENNGE Device Certificate during Windows sign-in?
Legacy authentication (WS-Trust) is used during Windows sign-in, but device certificates cannot be used with legacy authentication (WS-Trust).
Is it possible to configure authentication using device certificates for services other than those of Microsoft?
Configuration is possible if the service can read Access Control's device certificates.
However, note that device certificates are required for each Windows profile.
If you are about to perform Microsoft Entra Join, first sign in to Windows with a local user.
Then, during Microsoft Entra Join, Access Control authentication is required, and after joining Microsoft Entra, a profile is created, so two device certificates per user are required as follows.
・One device certificate is required for the local user
・One device certificate is required for the Microsoft Entra user after signing in to Windows
To resolve the above, it is necessary to not include the condition requiring a device certificate in the access policy template during Microsoft Entra Join and to include it after joining Microsoft Entra.
Is additional configuration required to use Access Control in conjunction with Microsoft Entra Join?
When using Access Control in conjunction with Microsoft Entra Join, the following settings are additionally required in Access Control.
1. Create a new access policy template with the condition [uastr:"%Windows-AzureAD-Authentication-Provider%"].
2. Open the access policy group to which the users utilizing Microsoft Entra Join belong, select [Allow when] under [Condition to allow legacy authentication], choose the access policy template with the condition [uastr:"%Windows-AzureAD-Authentication-Provider%"] created in step 1, and save.
※ [Windows-AzureAD-Authentication-Provider/1.0] is the user agent when license authentication is performed via Microsoft Entra Join.
Due to future updates from Microsoft, the string of the user agent may change without prior notice.