Hydra 2.0 is here - Windows 365 management included at no extra cost with all Hydra tiers.
Same features as AVD: auto-scaling, imaging, session control. Free tier limits: 5 host pools, 100 sessions. Paid tiers: unlimited.
Get a Demo Today!
Get Started

Intune, Entra ID, and AVD Images: Where Each Tool Starts and Stops

November 6, 2025

Microsoft’s ecosystem gives us no shortage of management tools: Intune, Entra ID, Azure Virtual Desktop (AVD), and a growing collection of automation services. But when it comes to where each one begins and ends, the lines can get blurry fast.

For example, you may wonder: Who owns the image? Who handles device cleanup? When should a session host join Entra or enroll in Intune?

Managing AVD shouldn’t feel like juggling three separate tools. This post breaks down how IT admins and cloud architects can connect the dots between Intune, Entra ID, and image management, and how Hydra orchestrates it all to keep things clean, compliant, and running smoothly.

The Modern AVD Management Stack

The AVD ecosystem is built on three key pillars:

  • Identity (Entra ID)
  • Device Management (Intune)
  • Image Lifecycle (Hydra or other orchestration platform)

Each serves a different layer of responsibility:

Layer Tool Purpose
Identity Entra ID Authenticates users and devices
Configuration Intune Applies policies, deploys apps, ensures compliance
Lifecycle Hydra Builds, validates, and coordinates image deployments while solving orphaned devices and image drifts.

When aligned, they create a fully automated lifecycle, from golden image creation to device enrollment and cleanup. When misaligned, you can get duplicate objects, orphaned Intune devices, or failed enrollments.

Entra ID: The Foundation of Identity

What it does:

  • Manages user and device identities across Azure and AVD.
  • Provides Conditional Access and MFA enforcement.
  • Supports both Entra ID Join and Hybrid Join scenarios.
  • Links users → devices → session hosts for consistent policy enforcement.

Where it stops:

  • Entra ID doesn’t control when or how a VM joins. That’s delegated to the provisioning layer (like Hydra or native AVD).
  • It doesn’t handle post-deployment cleanup when session hosts are re-imaged or deleted. Again, that is delegated to the provisioning layer.

Hydra’s role:
Hydra coordinates identity joins during image rollout, ensuring that every cloned session host joins Entra cleanly and that old joins are removed before new hosts come online.

For example, one of our customers built their own autoscaling solution in native AVD. However, during scale-down events, the devices weren’t deleted from Entra ID. Over time, this left hundreds of stale devices in their tenant, which caused problems when those device names were reused.

Intune: The Policy and App Enforcer

What it does:

  • Pushes policies, compliance rules, and apps to enrolled devices.
  • Monitors device health, update status, and configuration drift.
  • Serves as the primary MDM/MAM layer in AVD and physical device environments.

Where it stops:

  • Intune doesn’t build or version golden images.
  • Intune is purpose-built for device management; therefore, it doesn’t automatically clean up stale non-persistent entries when hosts are recycled or rebuilt.
  • It can’t orchestrate join → configure → retire tasks without external coordination.

Hydra’s role:
Hydra enrolls each session host into Intune in the correct sequence, after it’s joined to Entra but before user sessions begin, and can automatically trigger device record cleanups when hosts are decommissioned or refreshed.

Hydra: The Orchestrator Between Layers

Think of Hydra as the conductor that ensures Entra ID and Intune work in sync with your AVD image lifecycle.

Hydra coordinates:

  • Image build: Windows OS, apps, and baseline configurations.
  • Validation: Tests the health of session hosts during rollout of new images.
  • Deployment: Post-validation updates session hosts within existing AVD host pools.
  • Join sequencing: Ensures correct Entra and Intune join order.
  • Cleanup: Retires and deregisters devices to avoid orphaned objects.

In summary, Hydra eliminates the “who cleans that up?” question that plagues many AVD environments.

Bringing it All Together

Without a proper coordination engine, you get drift, enrollment issues, and inconsistent host states. But when you bring Hydra into your AVD environment, you get clear roles:

  • Entra ID manages who can access the environment.
  • Intune manages what gets applied to the device.
  • Hydra manages when and how lifecycle events occur.

With Hydra in place, you get a single orchestrated workflow, from image build to Entra join, Intune enrollment, and cleanup.

Want to see how Hydra can optimize your AVD lifecycle? Get a demo today!

Hydra

Nicholas Burton,

Sr. Sales Engineer

Try Hydra for free

Related Resources

Workspace Weekly: Named Pipes for Custom Connectors
BlogJanuary 15, 2026

Workspace Weekly: Named Pipes for Custom Connectors

Workspace Weekly: Web Recorder for Faster Web Workload Scripting
BlogJanuary 7, 2026

Workspace Weekly: Web Recorder for Faster Web Workload Scripting

Workspace Weekly: 6.4 features – Physical Desktop Load Tests and VSImax control
BlogDecember 30, 2025

Workspace Weekly: 6.4 features – Physical Desktop Load Tests and VSImax control

Ready to see how you can transform with Login VSI?

Book Your Demo