can remtoe Team deploy GPOs on machines without VPN on Azure AD

Shauna Wekherlien 0 Reputation points
2023-02-01T17:58:36.6866667+00:00

We are a remote team and looking to acheive GPO on machines without a VPN using Azuer AD. Is it possible via deploing a managed server in Azure and control all machines via that server without a VPN? We do not have any on prem infra. we are fully remtoe with 100 machiens globally. Currently running Azure p1 Trail.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,615 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Akshay-MSFT 14,786 Reputation points Microsoft Employee
    2023-02-03T11:05:55.9066667+00:00

    Hello @Shauna Wekherlien ,

    Thank you for posting your query on Microsoft Q&A. In order to manage physical devices with Azure ADDS or Azure hosted ADDS service the devices must be accessible to Vnet in which the DC is hosted. This is majorly works for Azure hosted VM's, AVD.

    However as a workaround you could manage devices without getting them accessibly to Vnet via Microsoft Intune.

    Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.

    Only Network endpoints for Microsoft Intune should be accessible via open network and all GPO like policies could be deployed from this management solution.

    Intune (MEM) is a Microsoft MDM solution which is used to managed cloud only, hybrid and mobile device environments. It would not help you deploy GPO but like for like policies. PFB actions with you could do from Intune with official documentation links:

    Azure AD license would be needed for availing Azure AD services like Azure AD join/Register, MFA, Identity protection, Application registration, Azure Application proxy, Conditional access.

    Azure AD just acts as an Identity provider on Azure environment. Just like any on-prem hosted application could be accessed once On-prem DS service validates it successfully.

    Similarly any authentication request accessing Azure registered application, VM, storage etc. would need to be allowed by Azure AD.

    Azure AD offers various identity control options based on your license. Kindly follow Feature comparison based on licenses for details.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  3. Akshay-MSFT 14,786 Reputation points Microsoft Employee
    2023-02-06T09:18:49.4866667+00:00

    @Shauna Wekherlien

    You could use Azure Point to site VPN, for pricing kindly refer Azure VPN pricing :

    Thanks,

    Akshay Kaushik

    Please "Accept the answer", "Upvote" and share your feedback (Yes/No) if the suggestion works as per your business need. This will help us and others in the community as well.