Can GPOs setup in a Microsoft Entra Domain Services managed domain be applied to devices that are in the Entra domain but not on Azure?

Bradley Bauer 20 Reputation points

We have an Azure subscription with an associated Entra tenant. We are cloud only and do not have an on premise AD server. We want to be able to setup GPOs that can be applied to computers that are Entra joined devices. Can that be accomplished by setting up GPOs in an Entra Domain Services managed domain?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,451 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 10,205 Reputation points MVP

    There are two built-in GPOs that you can use for this purpose.

    Details at

    However, keep in mind that you cannot join non-Azure VMs to Entra Domain Services domain, so this is applicable only to Azure VMs that are joined to the Entra Domain Services domain

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.



    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 141.5K Reputation points MVP

    In entra, you'll want to look at adminstrative units:

    There are no GPOs in Azure.

    Entra Domain Services really refer to a Windows Sub domain you create to handle legacy on-prem apps in Azure and it doesnt sound like that applies here:

    0 comments No comments