Hello @Matt Dillon ,
I was able to review this from Azure AD side.
Whenever a device gets hybrid AD joined. The device identity state would show as Azure AD registered and Hybrid Azure AD joined.
It's just the activity which keeps getting updated for Hybrid Azure AD joined entry.
The other entry stays as Azure AD registered (could not be deleted) to keep hold of object ID created post uploading the hash. This does helps in holding the device group membership as ZTDID is correlated to this object ID and would not be lost even if device is being autopilot reset.
Once device is setup as Hybrid AD joined, it will recognize you on-prem credentials. HAADJ endpoints are only "joined" top the on-prem AD domain and thus on-prem AD user credentials must be used. AAD Connect will sync your on-prem AD accounts to Azure AD so it may seem like you are using an AAD account to login, but you aren't and cannot. Thus, nothing changes about the login requirements for an HAADJ endpoint from a classic on-prem ADJ endpoint. Ref https://learn.microsoft.com/en-us/answers/questions/166093/autopilot-hybrid-join-but-can-users-sign-in-to-azu.html
Please do let me know if you have any further queries in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.