In Azure A D Domain Services (Azure AD DS), administrative tasks for the managed domain—such as DNS and Group Policy—are performed by users who belong to the AAD DC Administrators group. The AZ-800 study guidance explains that Azure AD DS does not expose traditional Domain Admins or Enterprise Admins ; instead, membership in AAD DC Administrators grants rights to create and edit GPOs, manage DNS, and perform domain-joined VM administration within the managed domain . The same guidance notes that Azure AD DS provides two writable OUs by default: AADDC Computers and AADDC Users . You manage computer settings (including local security options and password policies that affect the local SAM of domain-joined Windows VMs) by linking GPOs to the AADDC Computers OU .

The Group Pol icy path to configure local password policy is Computer Configuration \ Windows Settings \ Security Settings \ Account Policies \ Password Policy . Because these are computer-level policies , they must be applied to computer objects, which in Azure AD DS res ide under AADDC Computers . Therefore, to configure a password policy for local accounts on Azure VMs joined to the managed domain, you (1) sign in with an account in AAD DC Administrators , and (2) create/link the GPO to the AADDC Computers OU so the policy applies to those VMs.