@AriSaastamoinen Let's do it with pictures. Start with Domain Join, we are familiar with this one

@AriSaastamoinen Now Azure AD Join - That's the completely modern way and doesn't require any on prem infrastructure and people can work anywhere there is internet connectivity. Very few companies are there yet

@AriSaastamoinen Workplace Join-Think of this one as just adding a work account to a personal machine.The "join" is only applicable to that person's profile.If some other family member logs in to the machine, they don't have access to any of the cloud resources. Makes Single Sign On work for user

@AriSaastamoinen Hybrid Join - Many enterprises are going to this. The most common configuration for enterprise.

@AriSaastamoinen Workplace Join + Hybrid Join - starts to get a bit confusing. This pic shows a common scenario

@AriSaastamoinen Now it's time to think about the login process to see how identify flows. First, AzureAd Join - machine doesn't unlock until cloud authentication is complete. Again, most enterprises don't have a lot of these machines yet and are often federated

@AriSaastamoinen Compare that to Hybrid Join login. machine unlocks once domain credentials are authenticated which could happen before the cloud authentication completes. This is simplified and doesn't show the added flow that ADFS brings

@AriSaastamoinen And one more picture describing the Windows login process for a Hybrid Joined machine, the most common scenario for most enterprises. Note the Single Sign On info that dsregcmd /status provides. That shows if the cloud auth completed

@AriSaastamoinen Pictures always help me and this presentation was fantastic. Understanding this is key to moving to more modern device management. #MEMCM