Azure AD and On Prem AD - Can Group Policy Co-Exist?

%3CLINGO-SUB%20id%3D%22lingo-sub-92596%22%20slang%3D%22en-US%22%3EAzure%20AD%20and%20On%20Prem%20AD%20-%20Can%20Group%20Policy%20Co-Exist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92596%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20to%20roll%20out%20some%20surface%20tablets%20that%20will%20rarely%2C%20if%20ever%20be%20in%20the%20office%20%2F%20connected%20to%20our%20network.%20%26nbsp%3BAs%20a%20result%2C%20my%20plan%20is%20to%20Azure%20AD%20Join%20(and%20enroll%20in%20EMS)%20these%20devices%20but%20not%20join%20them%20to%20on-prem%20ADDS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20doing%20some%26nbsp%3Bdigging%20into%20Azure%20AD%20Group%20Policy%20--%20can%20this%20co-exist%20with%20my%20on-prem%20GPOs%3F%20%26nbsp%3BI%20know%20that%20I%20only%20get%201%20GPO%20in%20Azure%20-%20but%20my%20thought%20would%20be%20to%20spin%20up%20an%20Azure%20VM%2C%20install%20GPMC%20so%20I%20can%20manage%20the%20GPO%20for%20these%20tablet%20%2F%20cloud%20only%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOr%20is%20there%20a%20better%20way%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-92596%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93051%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20On%20Prem%20AD%20-%20Can%20Group%20Policy%20Co-Exist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93051%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20clearing%20this%20up.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESteve%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-92696%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20and%20On%20Prem%20AD%20-%20Can%20Group%20Policy%20Co-Exist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-92696%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20Join%20does%20*not*%20support%20GPOs.%20Azure%20AD%20Domain%20services%20does%2C%20and%20is%20limited%20to%20the%20one%20as%20you've%20read.%20The%20two%20are%20different%20features%20however%2C%20we%20discussed%20this%20recently%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-Active-Directory-Domain-Services-On-premises-workstation%2Fm-p%2F91930%23M694%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Active-Directory%2FAzure-Active-Directory-Domain-Services-On-premises-workstation%2Fm-p%2F91930%23M694%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDepending%20on%20the%20kind%20of%20settings%20you%20want%20to%20enforce%2C%20Office%20365%20MDM%20or%20Intune%20might%20be%20useful.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hello all,

 

I am looking to roll out some surface tablets that will rarely, if ever be in the office / connected to our network.  As a result, my plan is to Azure AD Join (and enroll in EMS) these devices but not join them to on-prem ADDS.

 

I have been doing some digging into Azure AD Group Policy -- can this co-exist with my on-prem GPOs?  I know that I only get 1 GPO in Azure - but my thought would be to spin up an Azure VM, install GPMC so I can manage the GPO for these tablet / cloud only devices.

 

Or is there a better way?

 

Thanks

Steve

2 Replies
Highlighted

Azure AD Join does *not* support GPOs. Azure AD Domain services does, and is limited to the one as you've read. The two are different features however, we discussed this recently here: https://techcommunity.microsoft.com/t5/Azure-Active-Directory/Azure-Active-Directory-Domain-Services...

 

Depending on the kind of settings you want to enforce, Office 365 MDM or Intune might be useful.

Highlighted

Thank you for clearing this up.

 

Steve