Azure Active Directory Domain Service GPO an Windows 10 VM on Premise

asked 2023-01-01T15:11:55.007+00:00
Claudio Cannatella 1 Reputation point


I have a question for understanding.

I have a special constellation. We do not have an on premise server. Our users have a Microsoft 365 account and therefore in Azure Active Directory. My idea is to ban the users from some features in Windows 10 using GPO. I have installed Azure Active Directory Domain Service. To do this, I configured a Server 2019 in Azure and installed Group Policy Management Tools.

In the AADDS I see the users from Azure Active Directory. Now I have customized the existing AADDS User GPO. Unfortunately the policies are not transferred to the user.

Do the GPO only work with Windows 10 VM created in Azure?

Thx for Help

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,570 questions
Azure Active Directory Domain Services
Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,869 questions
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. answered 2023-01-01T16:49:52.633+00:00
    Jordan M 781 Reputation points

    You can utilize Intune (Endpoint Manager), here's a starting point for you intune-administrative-template. You can also create custom ones or even just deploy PowerShell scripts.


    Please accept as an answer if this was helpful.

  2. answered 2023-01-01T21:17:28.89+00:00
    Pavel Yannara Mirochnitchenko 6,911 Reputation points

    GPOs work only for AD DS joined computers.

    For managing workstations with policies, you really don't have to install on-prem Active Directory and use GPO. You can do everything in Intune.

  3. answered 2023-01-03T07:43:16.96+00:00
    Limitless Technology 8,791 Reputation points

    Hello there,

    Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment.

    More information here

    Azure VM that is domain joined to an On-Prem Active Directory domain would be able to pull GPOs from the On-Prem Active Directory Domain Controllers. Group Policies would get applied on this just like a normal server in the On-Prem AD Domain.

    We need to make sure that the Azure VM should be able to speak to a DC without any network issues and that would get the Group Policy objects flowing from the DC to the Azure VM.


    --If the reply is helpful, please Upvote and Accept it as an answer--

    No comments