Unsolved Azure DC

---

Hi,

I am looking to see if this is possible. I would like to deploy GPO's to clients that are remote (connected to public, home networks). I was looking into Azure and having an Azure DC hosted with group policies. I was wondering if GPO's that are created on the Azure DC can be pushed when the azure client logs on (who are remote)?

Based on MS documentation, they are stating that Azure to on-prem syncing of this data is not possible:

-Group Policies: Group Policies configured in your on-premises domain are not synchronized to your managed domain.
-Sysvol share: Similarly, the contents of the Sysvol share on your on-premises domain are not synchronized to your managed domain.

However, I cannot find any documentation on if this is a possibility to have GPO's pushed to remote Azure clients from the Azure DC.

Nicholas,

I hope all is well. You are right on the on-prem hybrid sync, policies DO NOT sync up from your environment into Azure.

You DEFINATELY CAN DO what you would like however, as long as you are using a managed Active Directory instance hosted fully in Azure. Take a look at the following, as it will explain everything that you need to know, and how to go about it:

"Administer Group Policy on an Azure AD Domain Services managed domain" :

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-group-policy

Let me know if I can be of more help, or if you need any clarification(s) once you have had a chance to go through the material.

Good Luck !!!

Cheers,

Adam

Hi @Adam-Gordon,

Thanks for replying. You mentioned that this can happen if the AD instance is hosted FULLY in Azure. If we have a hybrid solution (syncing the on-prem AD accounts to the cloud Azure AD) this solution is not possible?

No where in the article it describes in detail what limitations exist. So, I am hoping we can deploy a GPO for those users that work from home.

Nicholas,

When you are using an on-premise AD infrastructure that you manage and maintain and then use Azure AD Connect to synch your user accounts into the Azure cloud, you are traditionally doing so in order to leverage the Single Sign-On capabilities that Azure provides for SaaS solutions like Office 365, Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, etc...

There are three versions of the Azure AD solution that can be deployed, depending on the choices that you/your company have made and the "pay-as-you-go" addition of features that you may be consuming, as noted below:

1. Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud-centric application access and self-service identity management solutions. You get features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.

2. Azure Active Directory Premium P1 - adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity, and access management (IAM), identity protection, and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-service password reset for your on-premises users.

3. Azure Active Directory Premium P2 - includes all the capabilities in Azure AD Premium P1 as well as Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. Helps you manage and protect privileged accounts with Azure Active Directory Privileged Identity Management so you can discover, restrict, and monitor administrators and their access to resources and provide just-in-time access when needed.

Regardless of the Azure AD option that your company is using, you DO NOT use Group Policies to manage and control users and / or devices directly within Azure. The way that we accomplish access control to resources is via Group Membership and the use of Security Groups. Take a look at the following URL for a high level discussion of the basic concepts and then you can follow the links on the left hand column of the page to examine more topics as necessary to better understand your options:

"Manage access to resources with Azure Active Directory groups":

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-manage-groups

You will also want to pay attention to the distinctions for how devices are managed and whether they are Domain Joined or Domain Registered. The following article will give you an overview and again, look to the left hand column navigation area for additional topics as necessary to further refine and understand what you may want to do, and how to accomplish it.

"Introduction to device management in Azure Active Directory":

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction

Hopefully these articles will help you to start figuring out what you would like to do. Please let me know if I can be of any additional assistance to further clarify, or answer any questions as you continue your research.

Good Luck !!!

Cheers,

Adam