Forum Discussion
Solved
Why no OUs in Azure AD
I'm starting to look at Intune for managing our desktops. I have created a dynamic group and pointed that at a particular OU but I've realised it never gets any members as there are no OUs in Azure AD. In fact, the only devices I see in Azure are those for which we have installed the Intune client even though AD Connect says it has synchronised all of my OUs. What am I missing?
Sadly, administrative units are good for nothing. They have so many limitations, they're practically just a "proof of concept". You will not be able to use them in Intune, or anything else for that matter.
And in general, if you want a "traditional" desktop management, based on OUs/GPOs and so on, Azure AD and Intune are NOT the solution for it. AD DS might get closer, but personally I'd stick with good old proven methods...
Check whether the recently announced Role Based Access Control feature in Intune matches your requirement.
Azure AD offers AU (Administrative Unit). It's somewhat equivalent to the on-premise OU functionality. You can read more about in the link below.
Sadly, administrative units are good for nothing. They have so many limitations, they're practically just a "proof of concept". You will not be able to use them in Intune, or anything else for that matter.
And in general, if you want a "traditional" desktop management, based on OUs/GPOs and so on, Azure AD and Intune are NOT the solution for it. AD DS might get closer, but personally I'd stick with good old proven methods...
- You are correct - AAD does not have OUs, but the AAD Connect sync tool can sync across users from OUs.
AAD is flat from an organisational perspective, as opposed to AD - which dates back over 15 years now. Times have changed and groups are king.
You can use features like dynamic group membership to assign licenses and access to things, as well as groups that you would use in Intune.
I don't have a specific answer for you, but it does require you to change your thinking.Hi Loryan,
Yes, we already heavily use groups for users. I'm using group based licencing in Azure for our 365 synced accounts which has been a godsend. I've been researching using Intune for devices and even Office Docs suggests creating dynamic machine groups and deploy rings for management/updating of Win 10 devies. Maybe it's not suitable for desktops and is only applicable to a BYOD situation. More thinking/research to do...
