Home

Azure Active Directory Premium P1 - Windows 7 - Group Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-167442%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167442%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FP%3E%0A%3CP%3EWant%20to%20roll%20out%20a%20domain%20customer%20has%20Office365%20currently%20but%20has%20mostly%20Windows%207%20Pro%20machines%20with%20some%20Windows%2010%20Pro.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDoes%20Azure%20Active%20Directory%20Premium%20P1%20support%20Windows%207%20and%20does%20it%20work%20well%20for%20Group%20Policy%2C%20Roaming%20Profiles%20etc%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20do%20i%20require%3C%2FP%3E%0A%3CP%3E2%20x%20Virtual%20machines%208Gb%20Ram%20256%20SSD%204x%20Cores%3C%2FP%3E%0A%3CP%3E1x%20vNet%3C%2FP%3E%0A%3CP%3E1x%20VPN%3C%2FP%3E%0A%3CP%3EBandwidth%20for%20vNet%3C%2FP%3E%0A%3CP%3EBandwidth%20for%20VPN%3C%2FP%3E%0A%3CP%3EVPN%20Tier%201%20for%20more%20than%2010%20sites%20and%20650Gb%20bandwidth%3F%3C%2FP%3E%0A%3CP%3EThen%20build%20VPN%20tunnels%20from%20sites%20to%20Azure%20VPN%3C%2FP%3E%0A%3CP%3EThen%20setup%20the%20servers%20to%20be%20domain%20controllers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWould%20like%20Azure%20Active%20Directory%20Premium%20P1%20if%20possible%20with%20it%20offering%20self%20service%20password%20resets%2C%20MFA%20etc%20but%20cannot%20find%20anything%20clear%20on%20managing%20the%20GPOs%2C%20Roaming%20profiles%20and%20Windows%207.%3C%2FP%3E%0A%3CP%3EThanks%20in%20advance%20for%20any%20advise.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-167442%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMulti-Factor%20Authentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177618%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177618%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20AAD-join%20Windows%2010%20machines%20as%20long%20as%20they%20have%20connectivity%20to%20MS%20Azure%2C%20via%20Internet%20--%20whether%20or%20not%20it's%20through%20a%20VPN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWindows%207%2C%20I%20don't%20think%20so.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20AD%20Connect%20is%20for%20synchronizing%20account%20data%20from%20a%20traditional%20AD%20service%20up%20to%20AAD%2C%20which%20of%20course%20is%20not%20the%20same%20as%20managing%20your%20identities%20totally%20in%20the%20cloud%20service.%26nbsp%3B%20If%20you%20moved%20everything%20completely%20to%20AAD%20you%20wouldn't%20need%20Azure%20AD%20Connect.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-173388%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-173388%22%20slang%3D%22en-US%22%3ECan%20a%20windows%207%20device%20be%20domain%20joined%20to%20azure%20domain%20services%20using%20p1%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20a%20windows%2010%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20if%20so%20can%20it%20be%20done%20over%20internet%20or%20line%20of%20sight%20such%20as%20a%20site2site%20vpn%3F%20%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%20can%20use%20azure%20ad%20connect%20for%20windows%2010%20but%20it%E2%80%99s%20limited.%20%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20advice%20is%20appreciated%20or%20someone%20who%20has%20already%20achieved%20the%20above.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-170259%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-170259%22%20slang%3D%22en-US%22%3EThanks%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20already%20have%20365%20and%20built%20a%20azure%20Server%20and%20installed%20gpo%20management.%20It%E2%80%99s%20joined%20to%20the%20domain%20too%20but%20needed%20to%20check%20the%20way%20it%20then%20connects%20from%20client%20as%20suspect%20will%20need%20a%20site2site%20vpn.%20I%20have%20also%20brought%20a%20P1%20ADDS%20licence%20to%20test%20with%20but%20don%E2%80%99t%20see%20where%20manage%20this%20have%20applied%20it%20to%20my%20account.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIt%E2%80%99s%20also%20not%20clear%20on%20the%20windows7%20side.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20need%20to%20implement%20this%20in%20two%20companies%20%3CBR%20%2F%3E%3CBR%20%2F%3EOne%20windows10%20devices%20thought.%3CBR%20%2F%3E%3CBR%20%2F%3EAnother%20mostly%20windows%207%20with%20some%2010.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168868%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168868%22%20slang%3D%22en-US%22%3EDepending%20on%20how%20far%20you're%20willing%20to%20go%2C%20you%20might%20consider%20cutting%20them%20entirely%20to%20Windows%2010%20and%20use%20Intune%20MDM%20for%20all%20your%20endpoint%20management.%20You'll%20get%20most%20of%20the%20important%20GP%20functionality%20in%20an%20easy%20to%20manage%20interface%2C%20and%20then%20if%20there%20are%20gaps%20you're%20not%20comfortable%20with%20(although%20that%20gap%20shrinks%20with%20each%20semi-annual%20Windows%20release)%20you%20can%20close%20them%20with%20remote%20PowerShell%20--%20again%20using%20Intune.%20But%20in%20most%20cases%20that%20won't%20be%20necessary.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167796%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167796%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20does%20support%20users%20with%20Windows%207%20but%20it%20does%20not%20help%20with%20managing%20GPOs%20by%20itself%2C%20you%20need%20Azure%20AD%20Domain%20Services%20for%20that%20type%20of%20functionality.%20AAD%20P1%20is%20focused%20on%20account%20and%20application%20management.%20The%20win7%20machines%20will%20still%20be%20domain%20joined%20and%20will%20still%20get%20GPOs%20like%20they%20always%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20don't%20need%20GPOs%20to%20manage%20Self%20service%20password%20reset%20and%20MFA%20configuration%20options%2C%20those%20are%20handled%20directly%20in%20AAD%20P1%20for%20all%20Operating%20systems.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20you%20have%20O365%2C%20then%20you%20may%20want%20to%20look%20into%20using%20GPOs%20to%20help%20manage%20OneDrive%20client%20sync%20settings%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fuse-group-policy-to-control-onedrive-sync-client-settings-0ecb2cf5-8882-42b3-a6e9-be6bda30899c%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fuse-group-policy-to-control-onedrive-sync-client-settings-0ecb2cf5-8882-42b3-a6e9-be6bda30899c%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20have%20the%20Win10%20machines%20registered%20with%20AAD%20without%20making%20them%20join%20the%20domain%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-azuread-registered-devices-windows10-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-azuread-registered-devices-windows10-setup%3C%2FA%3E%20or%20you%20can%20have%20them%20in%20hybrid%20mode%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevice-management-hybrid-azuread-joined-devices-setup%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167777%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Premium%20P1%20-%20Windows%207%20-%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167777%22%20slang%3D%22en-US%22%3Echeck%20the%20following%20article%20on%20Azure%20AD%20and%20GPOs%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Factive-directory-ds-admin-guide-administer-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Factive-directory-ds-admin-guide-administer-group-policy%3C%2FA%3E%3C%2FLINGO-BODY%3E
Danny Chaplin
New Contributor

Azure Active Directory Premium P1 - Windows 7 - Group Policy

Want to roll out a domain customer has Office365 currently but has mostly Windows 7 Pro machines with some Windows 10 Pro.

 

Does Azure Active Directory Premium P1 support Windows 7 and does it work well for Group Policy, Roaming Profiles etc?

 

Or do i require

2 x Virtual machines 8Gb Ram 256 SSD 4x Cores

1x vNet

1x VPN

Bandwidth for vNet

Bandwidth for VPN

VPN Tier 1 for more than 10 sites and 650Gb bandwidth?

Then build VPN tunnels from sites to Azure VPN

Then setup the servers to be domain controllers.

 

Would like Azure Active Directory Premium P1 if possible with it offering self service password resets, MFA etc but cannot find anything clear on managing the GPOs, Roaming profiles and Windows 7.

Thanks in advance for any advise.

6 Replies

Azure AD does support users with Windows 7 but it does not help with managing GPOs by itself, you need Azure AD Domain Services for that type of functionality. AAD P1 is focused on account and application management. The win7 machines will still be domain joined and will still get GPOs like they always have.

 

You don't need GPOs to manage Self service password reset and MFA configuration options, those are handled directly in AAD P1 for all Operating systems. 

 

Since you have O365, then you may want to look into using GPOs to help manage OneDrive client sync settings, see https://support.office.com/en-us/article/use-group-policy-to-control-onedrive-sync-client-settings-0...

 

You can have the Win10 machines registered with AAD without making them join the domain, see https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-registered-devices... or you can have them in hybrid mode, see https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devi...

Depending on how far you're willing to go, you might consider cutting them entirely to Windows 10 and use Intune MDM for all your endpoint management. You'll get most of the important GP functionality in an easy to manage interface, and then if there are gaps you're not comfortable with (although that gap shrinks with each semi-annual Windows release) you can close them with remote PowerShell -- again using Intune. But in most cases that won't be necessary.
Thanks,

I already have 365 and built a azure Server and installed gpo management. It’s joined to the domain too but needed to check the way it then connects from client as suspect will need a site2site vpn. I have also brought a P1 ADDS licence to test with but don’t see where manage this have applied it to my account.

It’s also not clear on the windows7 side.

I need to implement this in two companies

One windows10 devices thought.

Another mostly windows 7 with some 10.

Can a windows 7 device be domain joined to azure domain services using p1?

And a windows 10

And if so can it be done over internet or line of sight such as a site2site vpn?

I know can use azure ad connect for windows 10 but it’s limited.

Any advice is appreciated or someone who has already achieved the above.

You can AAD-join Windows 10 machines as long as they have connectivity to MS Azure, via Internet -- whether or not it's through a VPN.

 

Windows 7, I don't think so.

 

Azure AD Connect is for synchronizing account data from a traditional AD service up to AAD, which of course is not the same as managing your identities totally in the cloud service.  If you moved everything completely to AAD you wouldn't need Azure AD Connect.