Cloud adoption strategy for many organizations include a plan to become less dependent on Windows Server Active Directory (like in ‘we want to get rid of it’). This is easier said than done, because this dependency is surfaced on several levels: from AD being an identity provider for users, computers, and applications to using mature features like Group Policies for configuration management at scale.

When doing a large-scale datacenter migration to Azure, rehosting a Windows Server with an enterprise application that uses Integrated Windows Authentication doesn’t give much room to switch to a setup without AD. But how about ‘net new’ workloads running on Azure VMs? Is a traditional domain join the only way to manage their (security) configuration? Or do we have more options, ideally by applying configuration to Azure as well as non-Azure VMs?

Azure Machine Configuration (formerly called Azure Policy Guest Configuration) provides native capability to audit or configure operating system settings as code, both for machines running in Azure and hybrid Arc-enabled machines.

In this blog post, we will dive into the architecture, explain the mechanics, policy authoring experience, and emphasise some good practices when using Machine Configuration in production.