Azure Active Directory as Domain Controller for Azure Virtual Machines

Asked 7/3, 2013 at 7:4 Answered 31/1, 2016 at 22:55

Solved azure active-directory azure-virtual-machine azure-virtual-network azure-active-directory

Azure Active Directory is "as a service" offering from Azure. I have seen documentations and content from Microsoft stating that can be used for SSO and other Web application for unified auth.

Will it be possible to make use of Azure Active Directory as replacement of Windows Server AD in Azure virtual machines in Virtual Networks? I see that the Windows Server Active Directory Installation on Azure VM involves execution from powershell and stuff?

Anastomose answered 7/3, 2013 at 7:4 Comment(1)

FYI - AWS Has a Directory Service, Which is more like AD As A Service which can be used to mange users and perform Domain Join As Well [ SimpleAD ] – Anastomose 15/4, 2015 at 10:27

NO! Windows Azure Active Directory is NOT a Domain Controller. You can NOT join computers to Windows Azure AD. You can use it to sync on-premises AD with Windows Azure AD to easily enable Web SSO (Single Sign On). You can use to build enterprise grade web applications.

You can read more about Windows Azure Active Directory here.

Conjunction answered 7/3, 2013 at 7:45 Comment(7)

Thanks got the big doubt clarified. Is there any roadmap for Microsoft to make it DC / bring in DC features into it? – Anastomose 7/3, 2013 at 8:17

I am not aware of such intent. I would be surprised if there is. You could achieve that with the IaaS (Infrastructure As A Service) offering from Azure - the Azure Virtual Machines. But you sill have to maintain hard link (via hardware VPN Device) to your local network (connected computers) – Conjunction 7/3, 2013 at 9:41

astaykov, do you know if there is anywhere we can go to request this feature? – Unmeant 9/4, 2013 at 16:11

This is not the purpose of Azure AD, and has never been. You can go to http://www.mygreatwindowsazureidea.com/ but I doubt this will happen anytime soon, if happens at all. – Conjunction 9/4, 2013 at 16:58

Would it be possible to setup a domain controller on a Basic A0 VM that uses a reverse DirSync to Azure AD? The reasoning is so that other VMs can join the domain and we can control RDP access without having to share a common password. – Hyson 30/1, 2015 at 0:39

Really sad Azure AD is not an actual SaaS AD. It would save me tons of hours coming up with my own user-access-control strategy throughout my VMs with RD access. Sigh. – Lyall 28/4, 2015 at 11:2

The answer is correct. However, Microsoft is running a private test where Azure AD works as a normal domain controller. The long term goal is to provide Domain Controllers as a Service. – Greatgranduncle 20/9, 2015 at 15:43

Up until recently the answer was a flat no, but that has changed with Windows 10.

Windows 10 devices can join Azure Active Directory (AD) domains. But it is more about identify management than traditional Active Directory (AD) services. But you can use a combination of Azure AD and MDM (Mobile Device Management) to provide some of the services that used to be reserved for AD.

One thing to keep in mind is that Azure Active Directory (AD) is completely different than the similarly named Active Directory provided by a Windows Domain Controller. Azure AD is not a Domain Controller, but as of Windows 10 Azure AD, MDM and Intune can do some of the things that you previously could only be provided by AD. With Windows 10, Microsoft has greatly extended MDM and has made it possible to manage regular Windows 10 desktop and laptops with MDM.

The Active Directory Team Blog has more information. The post Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops! list some of the benefits that it brings including:

Self-provisioning of corporate owned devices.
Use existing organizational accounts.
Automatic MDM enrollment.
Single Sign-On to company resources in the cloud.
Single Sign-on on-premises
Enterprise-ready Windows store.
Support for modern form factors. Azure AD Join will work on devices that don't have the traditional domain join capabilities.
OS State Roaming.

This doesn't cover the traditional features provided by AD. Per the post Azure AD Join on Windows 10 devices Azure AD it targeted at the following three scenarios: Your apps and resources are largely in the cloud, Seasonal workers and Students, and Choose your own device for on-premises users. As you can see Azure AD is targeted more towards enabling BYOD (Bring Your Own Device). Azure AD enables management of devices, like tablets or non-Pro version of Windows, that don't have the capability to join a Domain.

From the same post:

Domain join gets you the best on-premises experiences on devices capable of domain joining, while Azure AD join is optimized for users that primarily access cloud resources. Azure AD Join is also great if you want to manage devices from the cloud with a MDM instead of with Group Policy and SCCM.

Azure now offers traditional Active Directory service called Azure Active Directory Domain Services. This offers domain join, NTLM and Kerboeros authentication. You can even manage machines using Group Policy.

Surfactant answered 30/7, 2015 at 19:38 Comment(0)

This is possible using Azure Active Directory Domain Service (notice the difference from regular Azure Active Directory which does not have domain support)

https://azure.microsoft.com/en-us/services/active-directory-ds/

Serology answered 31/1, 2016 at 22:55 Comment(0)

Recommended topics

Hot tags