Good evening,
I am trying to implement a 50 user remote working cloud-only solution using Office 365 (E3 Subscriptions) and Azure.
Requirements
Authenticate on all laptops against Azure AD or AD on a VM in Azure.
Use Office 365 (desktop apps and onedrive) seamlessly using their Azure/Office 365 logon credentials.
Receive Group Policy to lock down laptops/desktops on the domain.
Restrict users non-administrator operations on the laptops.
Ideally access file shares on a file server on Azure in a traditional \\server\share fashion / mapped drive.
Options we have tried..
A) Joining a laptop/desktop to Azure AD - It joins but there doesnt seem to be any benefit other than pass-through authentication to Office 365 desktop apps. You cannot distribute Group Policies over Azure AD and the Azure AD user still remains a local administrator
or their local machine. I understand that Azure AD is different to a traditional DC AD but I'm struggling to see any use for it in this scenario?
B) Azure AD Join with Microsoft InTune MDM - User can login with their Azure AD/Office 365 credentials but the policies defined in InTune do not appear to apply correctly. There seems to be some differences between the current and classic InTune portals. We've
spent a lot of time working on this one but it became so problematic and buggy we have abandoned this route. We also discovered it does not offer the full range of Group Policies we want/need and also carries further cost per user - If all we want to do is
administer laptops in a standard group policy way, this seems a little convoluted and more focused on MDM.
C) DirectAccess / Always-On-VPN (Not Supported!) - The idea was to connect directly to an Azure VM running as a DC and get group policy and authentication this way. However, DirectAccess and Remote Access are not supported on any Windows Server VMs on Azure.
D) Point-To-Site VPN Connection to Azure - Followed the official Microsoft steps to set up a P2S service on Azure and client connection. Got a working connection to the VPN and also connect the AD VM to the same VPN, can ping it and rdp to it no problem, but
cannot access file shares (even using the IP). The File Sharing issue appears to be related to a problem with passing-through the credentials to the file server. It is also not possible (without hacking about) to automatically dial an Azure Point-To-Site VPN
connection before login like you can with DirectAccess - thus not allowing you to logon to your Azure AD/DC.
In Summary - Next Steps?
At this point I am wondering why what can be achieved with a VPN to a private cloud (non-Azure) seems impossible on Azure?
I feel like I am missing something really fundamental here!
Any help/advice would be gratefully received!
Chris
P.S - Had to remove the links as Microsoft hasnt verified my forum account without, 1st post.
↧
Cloud-Only AD/Azure AD Authentication with Group Policy and Shares
↧