Augmenting Azure AD with GPO

%3CLINGO-SUB%20id%3D%22lingo-sub-1709862%22%20slang%3D%22en-US%22%3EAugmenting%20Azure%20AD%20with%20GPO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1709862%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20scenario.%20I%20am%20looking%20to%20eliminate%20my%20physical%20AD%20server.%20I%20have%20a%20Windows%20Server%202019%20VM%20in%20Azure%20with%20the%20GP%20Management%20tools.%20This%20VM%20is%20joined%20to%20an%20Azure%20Managed%20Domain.%20I%20have%20computers%20that%20are%20Azure%20AD%20joined.%20I%20want%20to%20apply%20group%20policies%20from%20that%20Windows%20Server%20VM%20to%20my%20Windows%2010%20Azure%20AD%20Joined%20laptops.%20Please%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1709862%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Egpo%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1733877%22%20slang%3D%22en-US%22%3ERe%3A%20Augmenting%20Azure%20AD%20with%20GPO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1733877%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F807976%22%20target%3D%22_blank%22%3E%40B4K4Fire%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20important%20to%20distinguish%20several%20things%20here%3A%3C%2FP%3E%3CUL%3E%3CLI%3Eas%20I%20understand%2C%20you%20have%20an%20on-premises%20Active%20Directory%20with%20domain%20controllers.%20I%20would%20assume%20you%20integrated%20it%20with%20your%20Azure%20AD%20by%20using%20AAD%20Connect%20and%20synchronized%20your%20on-prem%20accounts%20and%20groups%20to%20AAD%3C%2FLI%3E%3CLI%3Eyou%20wrote%20that%20your%20Azure%20VM%20is%20joined%20to%20'Azure%20Managed%20Domain'.%20Since%20this%20is%20a%20Windows%20Server%2C%20it%20indicates%20you%20are%20referring%20to%20Azure%20AD%20Domain%20Services.%20I%20assume%20you%20enabled%20this%20service%20in%20a%20specific%20VNet%20and%20it%20synchronizes%20users%20and%20groups%20from%20your%20Azure%20AD%20domain%20to%20this%20managed%20directory.%3CUL%3E%3CLI%3EAs%20a%20side%20note%2C%20this%20domain%20has%20no%20trust%20relationship%20with%20your%20on-premises%20AD%20domain%20(even%20though%20you%20see%20the%20same%20users%20and%20groups%20in%20both%20ADs%2C%20they%20have%20different%20SIDs%2C%20GUIDs%2C%20etc.).%3C%2FLI%3E%3CLI%3EIn%20other%20words%2C%20even%20the%20GPOs%20in%20your%20on-prem%20AD%20are%20different%20from%20those%20in%20AAD%20DS%20(the%20technology%20is%20the%20same%2C%20but%20when%20you%20enable%20AAD%20DS%2C%20there%20are%20no%20GPOs%20added%20by%20default%2C%20and%20there%20is%20no%20synchronization%20mechanism%20that%20would%20allow%20you%20to%20sync%20it%20from%20your%20on-prem%20AD).%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EYou%20can%20use%20that%20Azure%20VM%20to%20manage%20that%20AAD%20DS%20instance%20(domain-join%20VMs%2C%20create%20GPOs%2C%20OUs%2C%20etc.).%3CUL%3E%3CLI%3EYou%20probably%20know%20that%20you%20don't%20have%20full%20Domain%20Admin%20rights%2C%20since%20the%20domain%20is%20managed%20by%20Microsoft%20(and%20there%20are%20other%20limitations)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3CLI%3EYou%20are%20trying%20to%20apply%20Group%20Policies%20to%20a%20Windows%2010%20machine%20that%20was%20'Azure%20AD%20Joined'.%20Since%20your%20W10%20machine%20is%20'AAD%20Joined'%20(not%20Hybrid-AD%20Joined)%2C%20%3CSTRONG%3Eyou%20cannot%20apply%20Group%20Policies%20to%20it.%3C%2FSTRONG%3E%20Azure%20AD%20does%20not%20use%20GPOs%2C%20it%20is%20a%20cloud%20directory%2C%20built%20for%20scale%20with%20API-first%20approach.%20You%20can%20use%20Intune%20or%20other%20MDM%20tool%20to%20manage%20your%20W10%20AAD-joined%20machines%2C%20but%20not%20AD%20GPOs.%3C%2FLI%3E%3CLI%3EYou%20could%20in%20theory%20join%20your%20W10%20machine%20to%20that%20AAD%20DS%20managed%20domain%20and%20configure%20GPOs%20there%20(using%20your%20admin%20Windows%20Server%20machine)%2C%20but%20this%20makes%20little%20sense%20to%20me.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3ETo%20summarize%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%3CUL%3E%3CLI%3Eyou%20should%20use%20Azure%20AD%20Domain%20Services%20(managed%20domain)%20for%20Azure-hosted%20VMs%20(could%20be%20server%20or%20client%20OS%2C%20e.g.%20Windows%20Virtual%20Desktop)%2C%20but%20not%20on-premises%20hosted%20machines%3C%2FLI%3E%3CLI%3Eyou%20should%20consider%20using%20modern%20management%20solutions%20to%20manage%20your%20physical%20W10%20PCs%20(moving%20from%20GPOs%20to%20MDM%20policies).%20Eventually%2C%20you%20could%20use%20Hybrid%20AD%20join%20and%20continue%20using%20GPOs%20for%20Windows%2010%20clients%20(but%20not%20with%20AAD%20DS)%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hello,

 

This is my scenario. I am looking to eliminate my physical AD server. I have a Windows Server 2019 VM in Azure with the GP Management tools. This VM is joined to an Azure Managed Domain. I have computers that are Azure AD joined. I want to apply group policies from that Windows Server VM to my Windows 10 Azure AD Joined laptops. Please help

1 Reply
Highlighted

Hi @B4K4Fire ,

 

It is important to distinguish several things here:

  • as I understand, you have an on-premises Active Directory with domain controllers. I would assume you integrated it with your Azure AD by using AAD Connect and synchronized your on-prem accounts and groups to AAD
  • you wrote that your Azure VM is joined to 'Azure Managed Domain'. Since this is a Windows Server, it indicates you are referring to Azure AD Domain Services. I assume you enabled this service in a specific VNet and it synchronizes users and groups from your Azure AD domain to this managed directory.
    • As a side note, this domain has no trust relationship with your on-premises AD domain (even though you see the same users and groups in both ADs, they have different SIDs, GUIDs, etc.).
    • In other words, even the GPOs in your on-prem AD are different from those in AAD DS (the technology is the same, but when you enable AAD DS, there are no GPOs added by default, and there is no synchronization mechanism that would allow you to sync it from your on-prem AD).
  • You can use that Azure VM to manage that AAD DS instance (domain-join VMs, create GPOs, OUs, etc.).
    • You probably know that you don't have full Domain Admin rights, since the domain is managed by Microsoft (and there are other limitations)
  • You are trying to apply Group Policies to a Windows 10 machine that was 'Azure AD Joined'. Since your W10 machine is 'AAD Joined' (not Hybrid-AD Joined), you cannot apply Group Policies to it. Azure AD does not use GPOs, it is a cloud directory, built for scale with API-first approach. You can use Intune or other MDM tool to manage your W10 AAD-joined machines, but not AD GPOs.
  • You could in theory join your W10 machine to that AAD DS managed domain and configure GPOs there (using your admin Windows Server machine), but this makes little sense to me.

To summarize:

  • you should use Azure AD Domain Services (managed domain) for Azure-hosted VMs (could be server or client OS, e.g. Windows Virtual Desktop), but not on-premises hosted machines
  • you should consider using modern management solutions to manage your physical W10 PCs (moving from GPOs to MDM policies). Eventually, you could use Hybrid AD join and continue using GPOs for Windows 10 clients (but not with AAD DS)