How policies made in Azure will work on on-prem AD?

asked 2022-06-25T06:41:55.323+00:00
Tarunjot Singh 1 Reputation point

We have hybrid AD -- on- prem AD synced with AAD. but I want to understand, if I make a policy in azure how will it be implemented. Will it be applicable to all user of on-prem and AAD? Do the AAD needs to login to a device then it will take effect? Moreover AAD connect is not bi-directional so how will the policy made in Azure will take effect for o-prem users? Or is it possible if I make a GPO on my on-prem AD, that can work for AAD users as well? How this works?

I know I am just typing in all whether it makes sense or not but I want to clear my doubts on how this hybrid structure works.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,545 questions
Azure Active Directory Domain Services
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2022-06-27T16:05:27.863+00:00
    ShashiShailaj-MSFT 7,411 Reputation points Microsoft Employee

    @Tarunjot Singh ,

    As far as I understand your query , I think you have a hybrid on-prem + Azure AD environment and you are trying to understand that whether you can create group policies in Azure similar to GPO that you create in the on-premise domain . Let me explain this in a detailed manner.

    I am assuming that you already know about on-premise group policy objects which can be created to manage different aspects of on-premise windows active directory infrastructure . And you have newly started to setup a hybrid infrastructure where your on-premise Active directory is synced to Azure AD .

    When we say Azure policy , it means the the policy that can be applied to Azure resources within the azure subscription or if you would like to manage multiple subscriptions by clubbing them under a management group , you can apply the policy on management group . This is to say that Azure policy does not apply on Azure active directory and even group policy objects do not apply on Azure active directory . Azure policy and GPO (on-prem GPO) are not the same. There is nothing similar to group policy objects in azure AD side. The Azure active directory is not a drop-in replacement for On-premise active directory environment however the security that on-premise GPO provide can be attained in the cloud too using different ways.

    The hybrid cloud environment refers to a way where you can sync your on-premise environment to Azure AD . You can sync users, groups and device objects to the cloud. The Azure AD serves mainly as a object store and application identity backend for all kinds of modern applications. It was not designed to be same as on-premise AD. As you know , Group policy functionality depends on domain controllers availability , however Azure AD is a distributed service which is geographically agnostic meaning its available across the globe no matter where you are so there is no concept of domain controllers in Azure AD . Since no DCs so no GPOs apply there. The GPOs mainly provide governance and security policies via registry values on the user's devices . This can be achieved for devices directly connected using Azure AD by using Intune device policies. Microsoft Intune provides most policies which on-prem GPO provides.

    To sum up , on-prem GPO cannot apply in Azure AD users. You can create Azure policy but azure policy is not same as GPO and does not apply on Azure AD users. Now that we have significant background on how things will work and what all wont work by design let me try to answer your queries :-

    1. If I make a policy in azure how will it be implemented. Will it be applicable to all user of on-prem and AAD?
      -- If you make a policy in azure it wont be implemented on-premise. It can only be implemented on resources in Azure cloud which you can see within your subscription. Azure active directory is not one of those resources where azure policy can apply in same ways as GPOs apply in on-premise Active directory.
    2. Do the AAD needs to login to a device then it will take effect?
      -- No . Login to a Device helps in device registration if you have it setup in your environment . You can read more in the linked article. Group policy engine will treat this device as on-prem device and GPO will apply using on-prem infrastructure of domain controllers similar to any normal device. AAD does not come in picture as explained above.
    3. Moreover AAD connect is not bi-directional so how will the policy made in Azure will take effect for on-prem users?
      -- You are correct in your assumption that AAD is not bi-directional so there will be no policy transfer from Azure AD to on-prem as Azure policy do not apply on azure AD users the same way GPO applies to on-prem users.
    4. Or is it possible if I make a GPO on my on-prem AD, that can work for AAD users as well? How this works?
      -- Since your users are synced to Azure AD in a hybrid environment so the policies will apply on devices which are hybrid joined to azure AD . Ideally the group policy engine requires line of sight domain controller . So whether device are hybrid azure ad joined or not , the group policy will apply on them.

    Generally in a hybrid environment you already have devices and users synced to Azure AD. And most organizations opt for Microsoft 365 E3/E5 or EMS E3/E5 licenses depending upon your requirements which will provide you Intune based device management capabilities. If you are a Microsoft partner you can engage with technical Presales consulting with the internal teams. But you require to be part of the Microsoft Partner network as mentioned in the linked article.

    I hope this helps clarify how hybrid structure works in terms of group policy and the limitations around it . In case you have any other queries or you believe we have misunderstood your queries , please let us know and we will help you clarify further. If the information provided is helpful , please do accept the post as answer so that this will improve the relevancy of this post and increase discoverability of the information for other users in the community searching for similar queries.

    Thank you .

    No comments