New Contributor

The scenario here is trying to use the AADDS as it is and not syncing anything from an on-premise location.

 

With VMs joined to this AADDS, I want to be able to have normal users log in to take care of day-to-day tasks, but I don't want to have to add them to the AAD DC Administrators Azure Security group to let them in. This gives those normal users more permissions that they should have.

 

There doesn't seem to be anything to allow this from the Azure AD side of things, and enabling a group policy for Remote Desktop Users does not work either. It is unclear what is stopping this from working, and so far I cannot find information that states this idea to be completely impossible either.

 

If anyone has any suggestions or information that could help I would greatly appreciate it!

Just to be sure: are those VM's members of Azure AD or Azure Active Directory Domain Services?
best response confirmed by Kesselringt (New Contributor)
Solution
Whoops, my apologies for not giving a follow up to my own issue!

To answer your question they are joined to Azure Active Directory Domain Services.

The part that made this confusing is that I am not syncing an on-premise AD into this Azure Tenant, so I was completely relying on what Azure puts into place when you create this service.

I should have had this knowledge, but I don't work with Group Policies that often. Azure Support had to help me with this because I didn't think to Google this issue from a GPO standpoint and not from an AADDS one.

The key to fixing this was entering my group of users under the "Restricted Groups" in the GPO, and say this group is a member of "Administrators" and "Remote Desktop Users."

This does make the users local admins on the machines they can log into, but for my purposes that is perfect. Here is where the "Restricted Groups" setting lives for others who might want to do this.

Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Restricted Groups
www.000webhost.com