Plans to merge ADDS and AAD

%3CLINGO-SUB%20id%3D%22lingo-sub-1779485%22%20slang%3D%22en-US%22%3EPlans%20to%20merge%20ADDS%20and%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779485%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20plans%20to%20merge%20Active%20Directory%20Directory%20Services%20and%20Azure%20AD%3F%20This%20would%20allow%26nbsp%3B%3CSPAN%3Ethere%20to%20be%20GPOs%2C%20OU%2C%20nesting%20etc%20...%20and%20then%20we%20would%20not%20need%20an%20additional%20subscription%20for%20intune%20to%20manage%20server%20and%20desktop%20devices.%20This%20is%20especially%20true%20in%20a%20more%20remote%20work%20world.%20This%20could%20be%20combined%20with%20doing%20ADDS%20communication%20over%20QUIC.%20Which%20I%20proposed%26nbsp%3Bon%20the%20Windows%20Server%20user%20voice%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F304621-active-directory%2Fsuggestions%2F41625361-allow-adds-communication-over-quic%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwindowsserver.uservoice.com%2Fforums%2F304621-active-directory%2Fsuggestions%2F41625361-allow-adds-communication-over-quic%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1779485%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1782702%22%20slang%3D%22en-US%22%3ERe%3A%20Plans%20to%20merge%20ADDS%20and%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1782702%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144680%22%20target%3D%22_blank%22%3E%40John%20Steskal%3C%2FA%3E%26nbsp%3BHello%2C%20I%20suppose%20you're%20referring%20to%20the%20fact%20that%20group%20policies%20configured%20in%20an%20on-premises%20AD%20DS%20environment%20aren't%20synchronized%20to%20Azure%20AD%20DS%3F%20As%20far%20as%20I%20know%20you%20need%20to%20edit%20one%20of%20the%20default%20GPOs%20or%20create%20a%20custom%20GPO%20in%20a%20hybrid%20scenario.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fmanage-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fmanage-group-policy%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1797083%22%20slang%3D%22en-US%22%3ERe%3A%20Plans%20to%20merge%20ADDS%20and%20AAD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1797083%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20are%20my%20five%20cents%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144680%22%20target%3D%22_blank%22%3E%40John%20Steskal%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20makes%20a%20clear%20distinction%20between%20Active%20Directory%20(a%20tradition%20X500%20directory%20with%20a%20hierarchy%2C%20group%20policies%2C%20and%20legacy%20authentication%20protocols%20like%20Kerberos%20and%20NTLM)%20and%20Azure%20AD%20(a%20flat%2C%20cloud-based%20directory%20designed%20for%20high%20scale%2C%20supporting%20modern%20protocols%20like%20SAML%2C%20OIDC%20and%20OAuth%2C%20where%20you%20can%20managed%20devices%20using%20MDM%20policies).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGroup%20Policies%20were%20not%20designed%20for%20the%20cloud%20and%20configuration%20as%20code%20practice%2C%20so%20I%20personally%20don't%20expect%20they%20will%20ever%20become%20a%20feature%20of%20Azure%20AD.%20Instead%2C%20you%20should%20use%20MDM%20policies%20for%20mobile%20devices%20and%20W10%20endpoints%20and%20leverage%20Azure%20(in-guest)%20Policies%20to%20manage%20Azure-hosted%20VMs%20(that%20could%20be%20extended%20to%20non-Azure%20VMs%20using%20Azure%20Arc).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Are there any plans to merge Active Directory Directory Services and Azure AD? This would allow there to be GPOs, OU, nesting etc ... and then we would not need an additional subscription for intune to manage server and desktop devices. This is especially true in a more remote work world. This could be combined with doing ADDS communication over QUIC. Which I proposed on the Windows Server user voice: https://windowsserver.uservoice.com/forums/304621-active-directory/suggestions/41625361-allow-adds-c...

 

3 Replies
Highlighted

@John Steskal Hello, I suppose you're referring to the fact that group policies configured in an on-premises AD DS environment aren't synchronized to Azure AD DS? As far as I know you need to edit one of the default GPOs or create a custom GPO in a hybrid scenario.

 

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

Highlighted

Here are my five cents @John Steskal ,

 

Microsoft makes a clear distinction between Active Directory (a tradition X500 directory with a hierarchy, group policies, and legacy authentication protocols like Kerberos and NTLM) and Azure AD (a flat, cloud-based directory designed for high scale, supporting modern protocols like SAML, OIDC and OAuth, where you can managed devices using MDM policies).

 

Group Policies were not designed for the cloud and configuration as code practice, so I personally don't expect they will ever become a feature of Azure AD. Instead, you should use MDM policies for mobile devices and W10 endpoints and leverage Azure (in-guest) Policies to manage Azure-hosted VMs (that could be extended to non-Azure VMs using Azure Arc).

Highlighted

@David Pazdera The funny thing is that MDM for Windows 10 uses Group Policy. The ADMX format and structure is what the group policy engine uses to apply things. Also, there is a huge need for the classic or as us say "legacy" ou structure. You could merge Azure ADDS and Azure AD, which would allow for all protocols and give the nesting features of OUs, plus group policy. I'd love to chat more about this, and one of the most powerful things about AD is group policy, plus it is included. Which with MDM it is not.