You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

04: How do I license PolicyPak if I use Azure / Azure Active Directory / Azure Active Directory Domain Services / AD Domain Controllers in Azure?

You might want to license PolicyPak when you are using Azure.

The challenge is knowing what you mean and need by Azure.

As such, there are generally four scenarios you could possibly need to license PolicyPak along with Azure.

Case 0: No Azure at all, using traditional Active Directory (usually with Server 2016, 2019, etc.)

In this case there is no Azure really involved at all. Instead, you are using "tried and true" Active Directory running Domain Controllers which comes with Group Policy. Typically, but not always, these servers are on-prem. (More on the idea that they don’t have to be on-prem a little later.)

In this case, you can license PolicyPak with PolicyPak Group Policy Edition or PolicyPak Cloud Edition.

Case 1: Azure Active Directory (also known as AAD) with or without an MDM service.

Azure Active Directory (AAD) is NOT “traditional AD in the cloud.” It is a directory service which has a job to create identity to services.

It has no Group Policy and has no real device management. There are two ways you can use Azure AD: with and without an MDM service.

Case 1A: Using Azure AD alongside an MDM service

You can augment Azure & Azure AAD with an MDM service like Microsoft Intune, WorkSpace ONE or Citrix CEM to do more Windows management… but it’s not Group Policy.

Here is what a machine looks like when it is MDM enrolled and registered in your Azure Active Directory.

As such, you might want to add PolicyPak to your existing MDM service to give you the ability to take existing “traditional AD Group Policy settings” and migrate them to MDM. Additionally, you get all the PolicyPak superpowers as well.

For this method, you are not licensing Azure Active Directory, but rather your MDM service.

Case 1B: Azure AD with no MDM service

Many PolicyPak customers choose to go with Azure AD and no MDM service.

This is because PolicyPak can provide much of what customers need of an MDM service, without the extra cost and moving parts.

To do this, you would need to add PolicyPak Cloud to your Azure AD.

To do this, you would install the PolicyPak Cloud client on your endpoints and… that’s it.

Case 2 (Rare, but we see it): AD Domain Controllers as VMs in Azure

From time to time we see customers who have created an AD Domain Controller in a VM in Azure. This could be a “Fresh domain” or a peer domain controller sync’ing with the other Domain Controllers they have. You typically need a magic VPN tunnel between your existing (typically on-prem) infrastructure and your AD Domain Controller as VMs in Azure to make this work.

Again, this would be an extended use case of traditional AD Domain Controllers which use Group Policy.

Clients join the domain, and they’re off to the races.

You would typically use Group Policy edition and license a whole domain, OU or OUs.

Alternatively, you can use PolicyPak Cloud edition and license each machine.

Case 3 (Rare, and we nearly never see it): Azure AD Domain Services (AS DS)

Azure AD Domain Services is something we never see at PolicyPak, but we will support it.

The use case for Azure AD Domain Services is, typically, to have some existing on-prem infrastructure that you want to lift and shift into VMs in Azure.

Maybe this is an IIS server, or a time card server which relies on Kerberos or other “traditional AD” technology.

As such Azure AD Domain Services is a way to have a function in Azure which “pretends to be traditional AD.” Then your VMs (which you lifted and shifted) then have something to join.

After that, this new domain can be taught to trust your original on-prem infrastructure so resources can be shared.

PolicyPak can be used with Azure AD Domain Services, because the servers you have lifted and shifted are joined to Azure AD Domain Services, just like they would be in a traditional AD domain.

As such you would license the PolicyPak Group Policy edition and enumerate the whole domain and all machines joined (again, typically servers and not laptops or desktops) could make use of PolicyPak.

There are some restrictions and gotchas about Group Policy inside Azure AD DS, so be sure to read this important Microsoft entry:

But, PolicyPak will work in this setup just fine when you license the PolicyPak Group Policy Edition.

Additional reading and thinking ahead…

A good article on all the Azure vocabulary and scenarios can be found at:

If there are other cases that you might have which are not covered in this document, please email support at so we can try to express how to license PolicyPak with your scenario.

  • 849
  • 07-Mar-2021