Hello @Shauna Wekherlien ,
Thank you for posting your query on Microsoft Q&A. In order to manage physical devices with Azure ADDS or Azure hosted ADDS service the devices must be accessible to Vnet in which the DC is hosted. This is majorly works for Azure hosted VM's, AVD.
However as a workaround you could manage devices without getting them accessibly to Vnet via Microsoft Intune.
Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.
Only Network endpoints for Microsoft Intune should be accessible via open network and all GPO like policies could be deployed from this management solution.
Intune (MEM) is a Microsoft MDM solution which is used to managed cloud only, hybrid and mobile device environments. It would not help you deploy GPO but like for like policies. PFB actions with you could do from Intune with official documentation links:
- You could set device compliance policies. (E.g.: setting minimum OS version /Password)
- You could set device configuration policies. (E.g.: Deploying certificate SCEP/PKCS/WIFI profiles)
- Windows updates for business policies.
- Endpoint protection policies ( E.g.: Bit-locker/windows defender )
- Kindly refer to planning guide for your objectives
Azure AD license would be needed for availing Azure AD services like Azure AD join/Register, MFA, Identity protection, Application registration, Azure Application proxy, Conditional access.
Azure AD just acts as an Identity provider on Azure environment. Just like any on-prem hosted application could be accessed once On-prem DS service validates it successfully.
Similarly any authentication request accessing Azure registered application, VM, storage etc. would need to be allowed by Azure AD.
Azure AD offers various identity control options based on your license. Kindly follow Feature comparison based on licenses for details.
Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.