HAADJ: Group Policy to Cloud Policy

**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.

ADActive Directory Domain Services (AD DS) was introduced in Windows 2000 Server and has been a part of our lives for over twenty years. It was good at the outset and has only gotten better as it matured. Through nine releases of Windows Server, we have seen it blossom. I suspect (though without hard data) it is the most ubiquitous directory services provider in the world.

AD DS has helped us to manage our environments through Group Policy. Group Policy was the feature of Windows Server that was, for me, the EUREKA moment. I remember taking a class in the fall of 2001, and we learned about it. At the end of the day I went back to my office and started creating Group Policy Objects (GPOs) for everything! I wish I had understood then the importance of having a test environment, but that was a lesson learned.

Azure Active Directory (AAD) is a cloud identity service that is the sign-on service for cloud services such as Microsoft Azure, Microsoft 365, and Dynamics 365. As the cloud works different from on-premises solutions, I do not know exactly when it was released… or at least, when it was first referred to as AAD.

AAD helps us to manage our environment (through Microsoft Endpoint Manager) with Configuration Service Provider (CSP) policies. These are the modern management policies that are meant to replace GPOs. A good thing too, because when I was first told that AAD did not have Group Policy I thought it was a reason to stick to on-premises.

If you were hoping this would be a technical article, let me stop you now: It is not. I will not go into anything deep or technical herein. Save that for later.

In the Microsoft Endpoint Manager admin center there is an option called Group Policy analytics. It allows us to upload our GPO settings and see if we can migrate them into CSPs, and how they would map. Incidentally, there is, as yet, no button that you can click that will do it for you, just a good map of what to do.

So for all these years, AD DS GPOs have been doing all of the work. They have been, for two decades, the way we have managed our PCs. Now, for the most part, we are looking to migrate to CSPs. So if we have Azure Active Directory, and we have CSPs, why do we still need AD DS?

There are many reasons.

Firstly, while the CSPs have come a long way, they are not completely ready for prime time. As an example: I recently posted an article on setting time synchronization through Intune (see article). I found out later that while you can set the policy, it will not actually work. I am sure it will someday, but not today. There are policy settings in Group Policy that do all sorts of things that you cannot yet do from the cloud.

Next, until all of your file servers are migrated to the cloud, you still need to be able to set and control permissions for on-prem resources. That is still done through AD DS.

The list goes on.

Recently I had a conversation with a customer, and I told him that you can look at AD DS as the founder of a business. He started it, he built it, and for years he put in the blood, sweat, and tears to establish and grow and prosper that business. He is passing it down to his children who are doing a great job, but they still do not have all of the skills… so Dad still comes into work every day… maybe not for the entire day, and he certainly never does overtime. Some days he comes in late or leaves early, and he take a lot of vacations. He still comes in and draws a paycheque… but he is no longer expected to carry the full weight of the company. His children need his experience, his wisdom, and his institutional memory. They do not need him to shlep boxes.

Active Directory Domain Services is no longer the sole identity service; We have installed and configured Azure AD Connect (see article) so Azure AD is sharing the burden. We are recreating some of our GPOs in our CSPs and retiring a lot of the GPOs. Great, so AD DS is no longer the workhorse it once was, but that does not mean we are ready to retire it… not yet anyways. We still love it, and while we could do without it if we had to – if our entire on-premises environment were to be completely wiped out, I would likely suggest taking the opportunity to restore data to OneDrive rather than to on-premises servers, and take the plunge into a complete cloud environment – but we do not have to, so let’s take our time, take advantage of the institutional memory, and plan a staged migration to that eventual goal of an environment with no on-premises domain controllers… and no Active Directory Domain Services.


For a new company just starting out, there is little good reason to build an on-premises domain environment. For a company that has years of investment in building that on-premises infrastructure, there is little good reason to rip it all out and jump headlong into the cloud. a Hybrid Azure Active Directory Joined (HAADJ) environment will suit your needs and allow the phased migration, including retiring servers through attrition and retirement rather than just ripping them out.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: