Few things were more revolutionary in the world of Microsoft®Active Directory® (AD) than the introduction of Group Policy Objects (GPOs). GPOs presented a new way to manage Windows® system policies, configurations, and security settings. With them, the IT admin had more control than ever over their Windows realm.
Yet with the migration of IT resources to the cloud, system management has changed. Previously simple tasks that AD could execute have become more nuanced. And with Azure AD in particular, there are a number of limitations to consider.
GPOs, Azure, and Active Directory
Traditionally, popular GPOs included system-hardening controls and policies like Full Disk Encryption, Lock Screens, and Control Panel Access among hundreds of others. IT admins can leverage GPOs to configure almost anything on a Windows® system, but more importantly, they can do so from one location — Active Directory.
Azure AD is different from Active Directory. AD is most often leveraged as an enterprise’s core on-prem IdP, managing the majority (if not all) of an organization’s Windows-based Identity and Access Management (IAM). Azure AD, on the other hand, federates those identities outside of the on-prem AD domain (primarily to connect to Azure and Office 365™) and serves as a single sign-on (SSO) solution for web applications.
As such, Azure AD doesn’t manage access to on-prem resources, with the exception of Windows 10 systems. It does help to manage users within the Azure platform, but when it comes to managing policies, IT admins need to use Azure AD Domain Services (AAD DS).
So Can Azure Leverage GPOs?
Out of the box, Azure AD does not utilize GPOs for the management of user settings and computer objects. Instead, it requires the addition of Azure AD Domain Services.
This is because when Microsoft introduced Azure AD as an Active Directory extension to the cloud, instead of implementing the complexity of GPOs, they created Device Restrictions within that platform. And because Azure AD is a user management system for Azure and Office 365, it’s not the (Read more…)