Azure ADDS Group Policy

Shahid Rabbani 1 Reputation point
2020-04-08T09:24:45.567+00:00

I have following scenario to setup my Azure ADDS.

  1. Setup Azure AD for my domain ad.example.com and created few users in Azure AD.
  2. Configured AADDS for domain ad.example.com
  3. Created a Windows VM machine and joined with Azure ADDS (ad.example.com).
  4. On VM Server, Installed GPO management and AD Tools and view my Azure AD users in Active Directory users and computer snapin.
  5. Setup an Separate OU and moved my user in this OU and created GPO for few settings to apply on that user.
  6. Authenticate my windows 10 on-prem machine successfully with Azure AD user account which is part of my OU in Step 5.

My Query is:

Can I apply AADDS GPO on my windows10 machine ? which is authenticated with Azure AD? (Step 6)

Is there any other steps or configurations required to setup GPO on Onprem devices ?

I don't have any ONprem Windows AD.

Regards
Shahid

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,587 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-04-08T09:47:33.373+00:00

    @Shahid Rabbani Yes, you can apply AADDS GPO on your windows10 machine. As long as you have active site to site VPN connection between your on-prem devices and Azure ADDS vnet, there are no additional steps or configurations required to setup GPO on Onprem devices.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments
  2. Shahid Rabbani 1 Reputation point
    2020-04-08T10:07:29.73+00:00

    @AmanpreetSingh-MSFT thanks for your quick reply.

    If i setup a S2S Vpn then i will use Windows 10 Domain Join option to join with AADDS not my school or work account for Azure AD join. exact ?

    What about my remote users if they want to authenticate with AADDS ? do they need PtoS VPN ?

    Is there any option if I can user Azure AD for authentication and fetch GPO for my windows machines ?

    Regards

    0 comments
  3. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-04-08T12:33:07.257+00:00

    @Shahid Rabbani There has to be connectivity to Azure ADDS. That can be either via S2S, P2S or remote users connect to corp network via VPN and then use S2S connection to Azure ADDS. You cannot fetch GPOs via Azure AD by signing-in with work/school account.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    0 comments
  4. Aryeh Guttman 1 Reputation point
    2021-01-03T07:31:27.017+00:00

    I tried this - setup a S2S vpn from Azure to our data center and joined a workstation at one of our branches to the Azure AD DS domain.

    There were a few issues:

    1. Only GPO computer policy was applied - both on the workstation and the Management VM for AAD DS set up in Azure. I couldn't get user GPO policy applied by default - I had to setup loopback for that to work.
      1. I found no option to hybrid join to Azure AD - from what I understand, this only works with AAD Connect , which you can't use within the AAD DS domain. So no way I can see to get Intune working with this setup. This is what Microsoft says :

    Important
    Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.

    So it seems that this is not as great a solution as I thought it could be. Best to set up a VM as a regular DC with AAD connect installed and have users join there through the VPN if you don't want an on-premises AD.

    0 comments