Can GPOs setup in a Microsoft Entra Domain Services managed domain be applied to devices that are in the Entra domain but not on Azure?

Question

We have an Azure subscription with an associated Entra tenant. We are cloud only and do not have an on premise AD server. We want to be able to setup GPOs that can be applied to computers that are Entra joined devices. Can that be accomplished by setting up GPOs in an Entra Domain Services managed domain?

Answer 1

There are two built-in GPOs that you can use for this purpose.

Details at https://learn.microsoft.com/en-us/entra/identity/domain-services/manage-group-policy

However, keep in mind that you cannot join non-Azure VMs to Entra Domain Services domain, so this is applicable only to Azure VMs that are joined to the Entra Domain Services domain

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

In entra, you'll want to look at adminstrative units:

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/administrative-units

There are no GPOs in Azure.

Entra Domain Services really refer to a Windows Sub domain you create to handle legacy on-prem apps in Azure and it doesnt sound like that applies here:

https://learn.microsoft.com/en-us/entra/identity/domain-services/overview