Skip to content

Knowledge Junction

Junction where Knowledge is the sovereign, where problem meet solution, technology get explored.. Office 365, Azure, SharePoint, SharePoint Online, PowerShell, Microsoft Graph, M365

  • Home
  • About Knowledge-Junction
  • Technologies
    • Office 365
    • Microsoft Graph
    • Python
    • Azure
    • C#
    • SQL Server
    • SharePoint
    • SharePoint 2019
    • .Net
    • PowerShell cmdlets
    • IIS
    • Tools
      • Eclipse
      • JavaScript Regions
    • Visual Studio Extensions
    • Java Script
    • Type Script
    • Azure
      • Azure Governance
      • Azure Blueprints
      • Management Group
      • Azure Identity And Access Management
      • Azure Networking
      • Azure Active Directory
      • SharePoint Online
      • Microsoft Azure
  • Certification
    • Office 365 : 70-347 : Enabling Office 365 Services
    • 70-532: Developing Microsoft Azure Solutions
    • AZ-103: Microsoft Azure Administrator
    • AZ-900 MICROSOFT AZURE FUNDAMENTALS
    • M365 Certifications
      • Office 365 : 70-347 : Enabling Office 365 Services
      • M365 : MS-900 : Microsoft 365 Fundamentals
    • PL-900: Microsoft Certified Power Platform Fundamentals

Azure Identity And Access Management Part 31 – Azure Active Directory – Domain Service ( Azure AD-DS) 6 – Manage Group Policy Object (GPO)

July 22, 2020August 9, 2020 ~ Manas Ranjan Moharana



Hello Friends,

Hope you all are doing good !!!

In our last articles we have discussed , How To Create An Organizational Unit (OU) . Today In this article, we will discuss how to Manage Group Policy Object (GPO) In Azure Active Directory Domain Services managed domain.

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

  • *
  • *
  • *

Part 20 – Azure Active Directory – Entitlement Management 2 – Entitlement Management Roles 1 – Administrator And Catalog Creator

Part 21 – Azure Active Directory – Entitlement Management 3 – Entitlement Management Roles 2 – Access Package Manager

Part 22 – Azure Active Directory – Entitlement Management 4 – Entitlement Management Roles 3 – Requestor And Approver

Part 23 – Azure Active Directory – Terms Of Use

Part 25 – Azure Active Directory – Identity Governance

Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview

Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain

Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Part 29 – Azure Active Directory – Domain Service ( Azure AD-DS) 4 – Install Management Tools In A Domain Joined VM

Part 30 – Azure Active Directory – Domain Service ( Azure AD-DS) 5 – Create An Organizational Unit (OU)

Next Article : Part 32 – Azure Active Directory – Application Management 1 – Overview

Azure AD DS Group Policy Objects (GPO) :

Group Policy Objects (GPO) has played a very important role in Azure Active Directory Domain Services (Azure AD DS). Using GPO, we can manage the settings of user objects and computer objects. Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. We can customize these built-in GPOs to configure Group Policy as required for our organization. Admin can also create custom GPOs. Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain.

In a hybrid environment, group policies configured in an on-premises AD DS environment aren’t synchronized to Azure AD DS. We need to edit one of the default GPOs or create a custom GPO, if we want to define configuration settings for users or computers in Azure AD DS.

Prerequisite :

Before we proceed to create our custom group policy, we need the following resources and privileges.

  • An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
  • A Windows Server management VM that is joined to the Azure AD DS managed domain.
  • A user account that’s a member of the Azure AD DC administrators group in your Azure AD tenant.

Lab Exercises :

Install Group Policy Management Tools In Domain Joined VM :

Group Policy Management tools is a very important tool to manage and configure Group Policy Object (GPOs). We need to install this tool, if not installed yet. These tools can be installed as a feature in Windows Server. Let’s go through the following steps and install it.

Step 1 – Login to Azure Portal and Create a new Window Server Virtual Machine (VM) under same VNet where we have configured our Azure AD DS but in different subnet. I have created a virtual machine named as ‘Manas-AADDS’. Also we have discussed how to join this VM to a managed domain and install administrative tools on the VM, in our previous session.

Figure 1 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – VM To Be Join

Step 2 – Let’s connect the VM. As we an see in the following figure, there are different ways to connect with VM. Here I am connecting the VM through BASTION . In the Overview pane for our VM, select Connect, then Bastion => provide the credentials of an user, who is a member of built-in ADD DC Administrators group and click Connect to connect the VM.

Figure 2 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Login To VM

Step 3 – After we connected to the VM, select Administrative Tools from the Start screen. Select the Start menu => choose Server Manager . Under ‘Configure this local server ‘ click on Add roles and features link as shown in the following figure.

Figure 3 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services- Install Group Policy Management feature 1

Step 4 – This will take us to Add Roles and Features Wizard. We can skip the first Before you begin section. So let’s click Next button to proceed to the next page.

Figure 4 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 2

Step 5 – On Installation Type section, keep the default setting and leave the Role-based or feature-based installation option checked and select Next button.

Figure 5 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 3

Step 6 – On the Server Selection page, choose the current VM from the server pool, here it is Manas-AADDS.manasmoharana.microsoft.com, then select Next button as show in the following figure.

Figure 6 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 4

Step 7 – On the Server Roles section, keep the default setting and click Next button.

Figure 7 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 5

Step 7 – On the Features section , select the Group Policy Management feature as showing in the following figure.

Figure 8 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 6

Step 8 – On the Confirmation section, click Install button to install the Group Policy Management tools.

Figure 9 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 7

Step 9 – Once reacquired feature installation is complete, click Close to complete the installation.

Figure 10 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 8

As showing in he following figure, we can see the result, by clicking the notification from top – right side of the page and her we can see our feature installed successfully on the server.

Figure 11 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Install Group Policy Management feature 9

Modify Existing GPO in Managed Domain :

In the above section, we have installed Group Policy Management feature. Now we can view and edit an existing GPO using this feature/tool. To administer group policy in a managed domain, we must be signed in to a user account that’s a member of the AAD DC Administrators group. In our case we will use uday@manasmoharanagmail.onmicrosoft.com. So let’s start with managing GPO using Group Policy Management console by going through the following steps.

Step 1 – Considering we are connected with our VM using web based RDP. go to Start screen and select Administrative Tools. It will show a list of available management tools including Group Policy Management installed in the above section.

Figure 12 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Lunch Group Policy Management

Step 2 – Select Group Policy Management to open the Group Policy Management Console (GPMC) as showing in the following figure where we can see our domain manasmoharana.onmicrosoft.com .

Figure 13 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Group Policy Management Console

Step 3 – As we can see in the left side of the following figure, under manasmoharana.onmicrosoft.com managed domain, there are two built-in Group Policy Objects (GPOs) exists as AADDC Computers and AADDC Users.

Figure 14 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Modify Built-in GPO 1

We can customize built-in GPOs to configure group policy as required by our organization within our managed domain.

Step 4 – Select the GPO we want to modify and choose Edit from the context menu as shown in the following figure.

Figure 15 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Modify Built-in GPO 2

Step 5 – The Group Policy Management Editor tool opens to let us to customize the GPO. We can see in the following figure, there are two section one is Computer configuration and the other one is User configuration. Let’s modify the password policy for the Computer configuration.

Figure 16 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Modify Built-in GPO 3

Step 6 – So expand Computer Configuration => Window Settings => Account Policy =>Password Policy => modify the Minimum password age property as shown in the following figure => Ok => File menu =>click Save to save the changes. Group policy settings refreshed in every 90 minute to synchronize the update.

Figure 17 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Modify Built-in GPO 4

Create And Edit A Custom Group Policy Object :

Azure AD Domain Services supports simple Group Policy in the form of a built-in GPO each for the users and computers containers. As we know managed domains provided by Azure AD Domain Services support only a flat OU (Organizational Unit) structure. All domain-joined machines reside in a single flat OU. We can creates our custom Group Policy Object (GPO) and link it with our custom Organization Unit (OU).

In our last article we have discussed how to create one OU. Now we will discuss, how to create and link a GPO with our new OU ‘ Knowledge Junction‘.

Step 1- now we are on Group Policy Management Console (GPMC). expand the domain, it will show all available OUs. In the following figure we can see our Knowledge Junction OU and at the moment there is no GPO linked with it.

Figure 18 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Knowledge Junction OU

Step 2 – To create a custom GPO for our Knowledge Junction OU, click ‘Create a GPO in this domain and link it here… ‘ option in the context menu as shown in the following figure.

Figure 19 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Create Custom GPO 1

Step 3 – One pop-up will come and ask to provide the name of the new GPO. Let’s put a name as per the naming convention of our organisation. I am giving ‘Knowledge Junction User Policies‘ as the name and leave the rest of the setting as it is and click Ok.

Figure 20 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Create Custom GPO 2

Step 4 – As we can see in the flowing figure, our new custom GPO has created, now let’s modify it to satisfy our requirement. To modify this GPO, we need to follow the same process as we did, when modify the built-in GPO. Select the GPO and click Edit from the context menu.

Figure 21 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Created New Custom GPO

Step 5 – Let’s assume for security reason, our GPO need a very complex password. So to configure or enable a complex password, we should modify the password policy and enable ‘Password must meet complexity requirements‘ option and save the changes as shown in the following figure.

Figure 22 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Modify custom GPO

With the above information, I am concluding this article. Hope this post helps you.

As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with active directory . Please let me know if I missed anything important or if my understanding is not up to mark.

Next Article : Part 32 – Azure Active Directory – Application Management 1 – Overview

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

Thanks for reading 🙂

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • WhatsApp
  • Email
  • Print

Like this:

Like Loading...

Related Articles

Posted in AZ-103: Microsoft Azure Administrator, AZ-104: Microsoft Azure Administrator, Azure, Azure Active Directory, Azure Identity And Access Management, Certification, Cloud Identities, M365, Microsoft Azure, O365 Certifications, Office 365, SharePoint Online, Technologies AD Administrator ToolADDSAZ-103: Microsoft Azure AdministratorAZ-300: Microsoft Azure Architect TechnologiesAZ-301: Microsoft Azure Architect DesignAZ-303: Azure Solutions ArchitectAZ-500: Microsoft Azure Security TechnologiesAzur Custom RoleAzureAzure Active DirectoryAzure Active Directory Custom RoleAzure Active Directory featuresAzure Active Directory pricingAzure AD Access ReviewAzure AD AuthenticationAzure AD DeviceAzure AD Device IdentityAzure AD Device Identity Management. Azure AD JoinedAzure AD Domain ServiceAzure AD DSAzure AD Entitlement ManagementAzure AD Google Federation for B2B userAzure AD Identity GovernanceAzure AD Identity ProtectionAzure AD PIMAzure AD Privileged Identity Management (PIM)Azure AD registeredAzure AD Schema extensionAzure Identity And Access ManagementAzure MFAAzure RBACAzure Role AssignmentAzure Role-Based Access Control (RBAC)Bulk Update Azure AD user profilesBusiness-to-Business (B2B)Custom Role AssignmentDevice ManagementDirectory schema extensionsDomain JoinDomain servicesEmail one-time passcodeEntitlement Management Access PackageExam AZ-104: Microsoft Azure AdministratorExtension AttributeGuest UserHybrid Azure AD joinedMulti-Factor Authentication (MFA) For Guest UserPrivileged identity management (PIM)Register Azure AD UserRisk Detection ReportRisk Sign-in ReportRisk User ReportSelf-Service Password Reset (SSPR)Sign-in risk PolicySync Password HashesTerms Of UseUser risk policy

Published by Manas Ranjan Moharana

Around 11+ years of total IT experience and since last 10 years working on almost on all version of SharePoint .Interested in learning and sharing something new to be helthy. View all posts by Manas Ranjan Moharana

Post navigation

‹ PreviousAzure Identity And Access Management Part 30 – Azure Active Directory – Domain Service ( Azure AD-DS) 5 – Create An Organizational Unit (OU)
Next ›Power Platform – Introducing Microsoft Dataflex (CDS)

8 thoughts on “Azure Identity And Access Management Part 31 – Azure Active Directory – Domain Service ( Azure AD-DS) 6 – Manage Group Policy Object (GPO)”

  1. kanjuspua says:
    July 22, 2020 at 9:53 pm

    good one

    Loading...
    Log in to Reply
  2. Pingback: Azure Identity And Access Management Part 34 – Azure Active Directory – Application Management 3 – SSO Configuration For SaaS Application | Knowledge Junction
  3. Pingback: Azure Identity And Access Management Part 33 – Azure Active Directory – Application Management 2 – Integrate SaaS Application | Knowledge Junction
  4. Pingback: Azure Identity And Access Management Part 35 – Azure Active Directory – Application Management 4 – User Provisioning For SaaS Application | Knowledge Junction
  5. Pingback: Azure Identity And Access Management Part 37 – Azure Active Directory – Plan Authentication With Azure AD | Knowledge Junction
  6. Pingback: Azure Identity And Access Management Part 36 – Azure Active Directory – Application Management 5 – Self-Service Application Access | Knowledge Junction
  7. Pingback: Azure Identity And Access Management Part 38 – Azure Active Directory – Password Protection And Smart Lockout | Knowledge Junction
  8. Pingback: Azure Identity And Access Management Part 39 – Azure Role-Based Access Control (RBAC) 1 – Overview | Knowledge Junction

You must log in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 323 other subscribers

Top Posts & Pages

  • M365 - SharePoint Online - CSOM - Getting SharePoint client context using PnP.Framework in .NET Core application
    M365 - SharePoint Online - CSOM - Getting SharePoint client context using PnP.Framework in .NET Core application
  • GIT : Visual Studio 2019 – resolved the issue – Git failed with a fatal error. could not read Username for ‘https://.visualstudio.com’: terminal prompts disabled? OR Error encountered while cloning the remote repository: Installation
    GIT : Visual Studio 2019 – resolved the issue – Git failed with a fatal error. could not read Username for ‘https://.visualstudio.com’: terminal prompts disabled? OR Error encountered while cloning the remote repository: Installation
  • Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user
    Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user
  • Microsoft Remote Connectivity Analyzer – A self-help tool to test email related issues
    Microsoft Remote Connectivity Analyzer – A self-help tool to test email related issues
  • Automatically download Outlook attachments
    Automatically download Outlook attachments

Recent Posts

  • E-commerce Series – Part 9 January 26, 2021
  • Microsoft Remote Connectivity Analyzer – A self-help tool to test email related issues January 26, 2021
  • M365 – SharePoint Online – CSOM – Getting SharePoint client context using PnP.Framework in .NET Core application January 25, 2021
  • Microsoft Teams : Integrating with Service Now – Part 4 – Teams action – For a selected message – Taking user input using Adaptive Card and creating new incident in ServiceNow January 20, 2021
  • E-commerce Series – Part 8 January 17, 2021

Follow us on Twitter

My Tweets

Hits

  • 328,031 total visitors

Our events

Articles by Author

  • 1 Yogesh Meher
  • 1 Mayur Gaikawad
  • 1 GAURAV KAWADIWALE
  • 1 Prasham Sabadra
  • 1 Kirtiranjan Moharana
  • 1 Kunal Lunkad
  • 1 Manas Ranjan Moharana
  • 1 Sanket Modi
  • 1 yogesh narayan ojha
  • 1 Prasad Pathak
  • 1 Robin (Ajay) Robert
  • 1 RohitSp
  • 1 shriram pophali
  • 1 Snehal Sabadra
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: