Active Directory for Remote Users - Which option?
I need to implement an AD and GPO in the company. It is an education company, but since it is an e-learning platform, 80% of the employees work from home.
I saw Entra ID as a good option, the Office 365 A1 Education license seems to have the necessary functions to allow users to join the domain, etc. But it does not work to create the domain without it apparently, since I do not have permission to create the resource group in our license, I receive the error "You do not have permission to create resource group under subscription Subscription 1". I do not think it is a permission issue, since I am a Global Admin.
Would it be a permission issue or does Entra ID Education not allow me to create the Resource Groups to create the AD?
If I need a license, would it be a P1/P2 license for one user sufficient for the AD and the A1 Edu license would be enough for the other users? Or am I forgetting some specific license for creating the AD (like something from Azure)?
Would an on-premise AD with Entra Connect serve this purpose? Would the PCs connect to AD via Microsoft Entra?
The error You do not have permission to create resource group under subscription. Is because
Creating a resource group is an Azure subscription-level operation and Global Admin in Entra ID does not automatically give you rights in Azure subscriptions.
Hence your account must need either Owner or Contributor in the Azure subscription.
You can verify the Azure Subscription Access by navigating to Azure portal -> Subscriptions -> select your subscription -> Access control (IAM) -> Role assignments ->check if contributor or Owner role assigned -> if not ask subscription owner to grant the role.
And yes, P1/P2 license for one user sufficient (refer Is a P1/P2 Entra ID license per user or per tenant? - Microsoft Q&A)
If your goal is to implement an AD and GPO, on-prem AD + Entra Connect can serve your purpose — but **PCs do not connect to on-prem AD via Microsoft Entra. **
Your remote PCs cannot "reach" on-prem AD through Microsoft Entra ID as it is not a domain controller and does not handle GPO.
If a PC is Hybrid joined, it can authenticate cloud apps via Entra. but to use GPOs, domain logon and on-prem AD services, the PC must talk directly to your on-prem Domain Controller and hence this requires a VPN or direct network access (like via Azure Virtual Network)
If you like to avoid enforcing VPN, you may need to use alternate for GPO (Like Intune but it requires Microsoft 365 A3/A5 Education license) and setup Entra ID + Intune (Recommended for Remote Workers) and easy.
- How to get PublisherId, OfferId , PlanId of AI foundry model?
- How to run yaml file from Azure cloud shell
- query_parameters with web queries
- Issue with azure web app runtime stack .NET 6
- Azure Maps Forward Geocoding and Route Matrix API - billing and cost perspective
- How to get a list of available vm sizes in an azure location
- SSL Verification failed while sending data via MQTT to x509 authenticated device in azure iot-hub
- Azure Container Apps Jobs with Event Hubs integration is looping endlessly, even though there is no new events
- In Service Fabric, can I alter the Arguments in the ServiceManifest.xml file using Application Parameters?
- use azurerm_virtual_machine with trusted_launch
- Which IPs to allow in Azure for Github Actions?
- How to get last login date & time for the logged in user in azure ad?
- Azure Policy - restrict creation of Front Door to Standard SKU Only
- Set-AzVirtualNetwork does not attach Nat Gateway to a subnet in Azure
- Signing an msi with AzureSignTool seems to work but "it is not in the Trusted Root Certification Authorities store."
- No such host is known - Mass Transit - Azure Service Bus
- Set default app pool recycling via command line
- Azure : How to create a event based trigger from SFTP server?
- Create a new cluster in Databricks using databricks-cli
- Accessing MS 365 content dynamically from a Python script
- Azure LogicApp reading messages from storage queue but not processing
- Azure python sdk resourcegraph no skip_token
- How can I copy the TXT record into the DNS configuration in portal azure?
- Getting the user's AcccountEnabled property true/false instead of NULL
- How to read my outlook mail using java and oauth2.0 with application regsitration in Azure AD
- Playwright driver not found error in Azure Function (Azure Portal - Flex consumption plan)
- Microsoft Azure App Gateway Returning 499/504 Erorr
- No such file or directory: '/home/vsts/work/_temp/.azclitask/bin/bicep' when doing az deployment mg in an Azure DevOps pipeline
- Azure Functions Service Bus Triggered not working
- Allow a custom content-type in Azure Front Door WAF without bypassing rules