Share via

Is it possible to apply device policies in Entra ID without Intune? Looking for cost-effective alternatives for endpoint management.

Aniruddha Aditya 20 Reputation points
2025-10-09T07:39:03.3766667+00:00

Hello Community,

I’m new to Infrastructure and currently exploring Microsoft Entra ID (formerly Azure AD) for my organization. We have around 1000 users and devices (laptops) that we plan to domain join with Entra ID for centralized management.

Our main goal is to apply organization-wide policies, particularly related to:

  • Antivirus and endpoint protection

Device compliance and restrictions

Security baselines

I’ve learned that these policies are typically implemented through Microsoft Intune (Endpoint Manager). However, our organization is not currently planning to invest in Intune licensing due to cost considerations.

So my questions are:

Is there a way to apply group policies or device security configurations without Intune in an Entra ID–only environment?

Would it make sense to set up an On-Prem Active Directory and do a hybrid Entra + On-Prem AD setup just to manage GPOs and save cost?

Are there any Microsoft-supported lightweight alternatives for enforcing device policies in a cloud-only setup?

Any architectural guidance or best practices from experienced admins would be greatly appreciated.

Thanks in advance! — Ani *Solution Architect (Power Platform & SharePoint, exploring Infra)*Hello Community,

I’m new to Infrastructure and currently exploring Microsoft Entra ID (formerly Azure AD) for my organization. We have around 1000 users and devices (laptops) that we plan to domain join with Entra ID for centralized management.

Our main goal is to apply organization-wide policies, particularly related to:

Antivirus and endpoint protection

Device compliance and restrictions

Security baselines

I’ve learned that these policies are typically implemented through Microsoft Intune (Endpoint Manager).
However, our organization is not currently planning to invest in Intune licensing due to cost considerations.

So my questions are:

Is there a way to apply group policies or device security configurations without Intune in an Entra ID–only environment?

Would it make sense to set up an On-Prem Active Directory and do a hybrid Entra + On-Prem AD setup just to manage GPOs and save cost?

Are there any Microsoft-supported lightweight alternatives for enforcing device policies in a cloud-only setup?

Any architectural guidance or best practices from experienced admins would be greatly appreciated.

Thanks in advance!
— Ani
Solution Architect (Power Platform & SharePoint, exploring Infra)

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
0 comments
Answer accepted by question author
  1. Zafer KAYA 330 Reputation points MVP
    2025-10-09T10:26:05.4366667+00:00

    Without Microsoft Intune, you cannot centrally enforce detailed device configuration or security baselines in Entra ID alone — Entra ID is an identity management service, not a device management platform. However, there are a few cost-effective alternatives and hybrid approaches depending on your requirements.

    Option A — Use Microsoft Intune Plan 1 Add-on

    If full E3/E5 licensing is too expensive, consider Intune Plan 1 ($4 per user/month).

    Gives all the policy and compliance management you need, at a fraction of the full M365 E3 cost.

    Option B — Use Group Policy via Hybrid Join

    Set up a lightweight on-prem Active Directory for Group Policy (GPO) management.

    Devices become Hybrid Entra ID Joined, so you can:

    Manage them via GPO locally, and

      Still use Entra ID for SSO, Conditional Access, and MFA.
  
  Pros: No Intune cost.
  
  Cons: Requires AD servers, VPN or LAN connectivity, and ongoing maintenance.

    Option C — Use Local scripts or 3rd-party MDM

    Tools like ManageEngine Endpoint Central, JumpCloud, or Microsoft Configuration Manager (SCCM) (if already licensed) can handle policy enforcement.

    • You can also use PowerShell or DSC scripts deployed manually or via scheduled tasks, but that’s not scalable for 1000 devices Option A — Use Microsoft Intune Plan 1 Add-on
      • If full E3/E5 licensing is too expensive, consider Intune Plan 1 ($4 per user/month).
      • Gives all the policy and compliance management you need, at a fraction of the full M365 E3 cost.
      Option B — Use Group Policy via Hybrid Join
      • Set up a lightweight on-prem Active Directory for Group Policy (GPO) management.
      • Devices become Hybrid Entra ID Joined, so you can:
        • Manage them via GPO locally, and
        • Still use Entra ID for SSO, Conditional Access, and MFA.
      • Pros: No Intune cost.
      • Cons: Requires AD servers, VPN or LAN connectivity, and ongoing maintenance.
      Option C — Use Local scripts or 3rd-party MDM
      • Tools like ManageEngine Endpoint Central, JumpCloud, or Microsoft Configuration Manager (SCCM) (if already licensed) can handle policy enforcement.
      • You can also use PowerShell or DSC scripts deployed manually or via scheduled tasks, but that’s not scalable for 1000 devices
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 9,011 Reputation points Volunteer Moderator
    2025-10-09T10:56:32.7566667+00:00

    Hi Aniruddha,

    Welcome to MIcrosoft Q&A, In shor the answer is yes, but with limitations. Microsoft Entra ID by itself doesn’t support native device policy enforcement like antivirus, compliance, or security baselines. These capabilities require Microsoft Intune or another MDM solution integrated with Entra ID. Without Intune, you can’t push device configurations or enforce compliance policies in a cloud-only setup.

    So the alternative could be this one:

    1. Use Active Directory + GPOs to configure:
      • Antivirus settings via Windows Defender policies
      • Firewall rules and network restrictions
      • BitLocker encryption enforcement
      • Software installation and update controls
      • Security baselines using Microsoft Security Compliance Toolkit
    2. Join devices to On-Prem AD, then sync identities to Entra ID using Azure AD Connect for SSO and conditional access (but not device compliance enforcement)
    3. Manage updates and patching with WSUS or SCCM (ConfigMgr), both compatible with GPO-driven environments

    If cost is a concern, I would suggest to compare Intune vs hybrid deployment with on-prem AD + GPOs . It's technically viable, but Microsoft recommends cloud-first architecture for scalability and security. Lightweight alternatives like Windows Autopilot still require Intune for policy enforcement. No Microsoft-supported cloud-only solution exists that replaces Intune’s functionality for device management.

    References:

    If this resolves your question, please accept the answer.

    Luis

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.