Azure Identity And Access Management Part 26 – Azure Active Directory – Domain Service ( Azure AD DS) 1 – Overview

Hello Friends,
Hope you all are doing good !!!
In our last articles we have discussed about Azure AD Identity Governance in detail . Today In this article, we will start with a new very crucial Azure AD feature Azure AD Domain Service (Azure AD DS).
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Part 1 – Azure Active Directory – Overview
Part 2 – Azure Active Directory – Enterprise Users
Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell
- *
- *
- *
Part 23 – Azure Active Directory – Terms Of Use
Part 24 – Azure Active Directory – Access Reviews 2 – Group And Apps
Part 25 – Azure Active Directory – Identity Governance
Next Article : Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain
Active Directory-Based Identity Solutions :
There are three following common ways to use Active Directory-based services in Azure to provide applications, services, or devices access to a central identity. Depending on the organization’s needs, we choose appropriate directory for our organization. Because they’re designed to provide services that meet different customer demands.
- Active Directory Domain Services (AD DS)
- Azure Active Directory (Azure AD)
- Azure Active Directory Domain Services (Azure AD DS)
Today, in this article we will explore, more about the 3rd solution Azure Active Directory Domain Service (Azure AD DS) where Microsoft creates managed domain using Azure AD DS and manages the required resources. Before that, let’s discuss one more approach to extend On-premise AD DS to cloud is Self-Managed AD DS . In this approach, where Microsoft will do nothing for us. We need to create and configure the AD DS using traditional resources and then continue to administer these resources.
Azure AD Domain Service (Azure AD DS) :
Azure Active Directory Domain Services (Azure AD DS) is a cloud based Manage Domain Service provided by Microsoft. It provides subset of fully compatible traditional on-premise AD DS features such as domain join, group policy, DNS service, LDAP, and Kerberos / NTLM authentication. As we know both Azure Active Directory (Azure AD) and Azure AD DS are two separate services but Azure ADDS requires Azure Active Directory to be present when we configure Azure AD DS.
Azure AD Domain Service (AAD-DS) Benefits :
Simple To Deploy And Use :
Easy to deploy and no domain controller deployment or patching required.Integrated with Azure AD:
Azure AD is must to configure Azure ADDS. User accounts, group memberships, and credentials are automatically available from our Azure AD tenant.Highly Available :
Azure ADDS includes multiple domain controllers, which provide high availability for your managed domain.Very Compatible :
It is compatible with Windows Server AD, natively talks to Kerberos, NTLM, LDAP, and it gives the same functionality as our on-premise Active Directory. The functionality of our apps, just keep working in the cloud as well. We can use same user name and password as we are using in Azure AD.Cost Effective :
It has pay as you go support and it does not required any complex Virtual network.
The Way Azure AD DS working :
Before configuring Azure AD DS, the very first thing is to think about the Virtual Network (VNet) to be use. Because Azure creates and configure an Azure AD DS Managed Domain on a VNet. When we create\configure an Azure Manage Domain, in-turn it configure, a pair of Windows Server domain controllers that run on Azure VMs. The Azure platform, manage, configure, or update these domain controllers as part of Azure ADDS service.
By default managed domain perform an one-way synchronization from Azure AD to Azure AD DS to provide access to a central set of users, groups, and credentials. We can create resources directly in the managed domain, but they won’t synchronized back to Azure AD. There are following two different model, to utilize Azure AD DS.
- Azure AD DS for hybrid organizations
- Azure AD DS for cloud-only organizations
Azure AD DS for hybrid organizations :
This model works in hybrid infrastructure that includes both cloud and on-premises application workloads. Now a days, many legacy/old applications are migrating to Azure using lift and shift strategy. Those shifted applications might required traditional LDAP connections to get identity information. In this scenario Azure AD DS act as identity source for those applications so that applications doesn’t need to manage application connectivity back to on-premises directory services. Because user account information has been synchronized in the process to provide a consistent identity for users. It works in the following way.

- Applications and server workloads are deployed in a virtual network in Azure that require domain services or legacy applications migrated to Azure using lift and shift method.
- Using Azure AD Connect, synchronize identity information from their on-premises directory to their Azure AD directory.
- Enables Azure AD DS for their Azure AD Directory in this virtual network or in a VNet which is peered with this virtual Network.
- The above activity will deploy two domain controller (DC) in this network and all configuration and management will be taken care by Microsoft.
- Once we enable Azure AD DS, the one-way synchronization will be starting from Azure AD to Azure AD DS will start and this will copy all identity information to Azure AD DS.
- Syncing of objects from Azure AD to Azure AD DS is an automatic background process managed by Microsoft. Synchronized objects exist as ‘read-only’ in Azure AD DS.
- After synchronization, applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.
Azure AD DS for cloud-only organizations :
The involvement of on-premises identity source is not there in Azure AD DS for cloud-only organizations model. All user identities and group memberships their credentials are created and managed directly in Azure AD. It works in the following way.

- Applications and server workloads that require domain services are deployed in a virtual network in Azure.
- Enables Azure AD DS for their Azure AD directory in this, or in a peered, virtual network.
- The above activity will deploy two domain controller (DC) in this network and all configuration and management will be taken care by Microsoft.
- Once we enable Azure AD DS, the one-way synchronization will be starting from Azure AD to Azure AD DS will start and this will copy all identity information to Azure AD DS.
- Syncing of objects from Azure AD to Azure AD DS is an automatic background process managed by Microsoft. Synchronized objects exist as ‘read-only’ in Azure AD DS
- Applications and VMs deployed in the Azure virtual network can then use Azure AD DS features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.
Note : When Azure AD DS domain is created, two OUs are automatically created: “AADDC Users” OU which store all users synced from Azure AD and “AADDC Computers” OU which store all domain joined computers.
Azure AD-DS Permissions :
Azure AD DS doesn’t provide traditional AD domain or enterprise administrator roles. So access is not available to manage the Domain Controllers (DCs). Instead, there is one built-in ‘AAD DS Administrators‘ security group created when configure Azure AD DS. Admins are added to that group to provides all permissions inside the managed domain like ability to create new OUs or group policies.
User Account Management In Azure AD DS :
User accounts in a managed domain can be created in multiple ways as we can see in the following list.
Cloud-Only User Accounts -
These user accounts is created in Azure AD and synchronized to Azure AD DS manage domain from Azure AD.Hybrid User Accounts -
These user accounts synchronized to Azure AD DS manage domain from an on-premises AD DS environment using Azure AD Connect via Azure AD.Azure AD DS User Accounts -
These user accounts can be manually created directly in the managed domain. As synchronization is one way from Azure AD to Azure AD DS, user accounts created in the Azure AD DS managed domain can’t be synchronized back to Azure AD.
Password Policy In Azure AD DS :
There are following two different type of password policies supported in Azure AD DS.
- Default Password policy – This allows to configure following policies which helps to manage user security in Azure Active Directory Domain Services (Azure AD DS).
- Account Lockout Policy – This policy apply to all users in a managed domain, regardless of how the user was created.
- Minimum password length – This policy apply to user accounts created manually in a managed domain.
- Passwords must meet complexity requirements – This policy apply to user accounts created manually in a managed domain.
- Custom Policy – Custom password policies can be applied to groups level in a managed domain if required. This configuration effectively overrides the default policy.
Sync Password Hashes In Azure AD DS :
Once the domain service are enabled the next step to sync the credentials to the Azure AD domain services. Then only users can use their logins to log in to the managed domain services. To authenticate users on the managed domain, Azure AD DS needs password hashes in a specific format. Azure AD doesn’t generate or store password hashes. Following are two different ways to synchronize password hashes for different type of User.
Cloud-Only User Accounts -
For cloud-only users, each user who wants to use Azure AD Domain Services need to change their passwords. Once user reset the password it generate the credential hashes which is automatically synchronized to manage domain. The account isn’t synchronized from Azure AD to Azure AD DS until the password is changed.Hybrid User Accounts -
For hybrid users, if on-premises AD already synced with Azure AD, we need to sync credential hashes required for NTLM and Kerberos authentication via Azure AD Connect. These are not sync with azure ad by default. We need to configure this setting in Azure AD Connect tool.
Azure AD DS pricing :
As specified in Microsoft document, Azure Active Directory Domain Services usage is charged per hour, based on the SKU selected by the tenant owner. Azure Active Directory is available in User Forest and Resource Forest (currently in preview). While in preview, Resource Forest pricing includes a pricing discount. Prices shown in the following figure include the preview discount. For more information see this link.

I hope, you find this article helpful and gives you basic overview of Azure AD Domain Service (ADDS). As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark.
References :
Understanding Azure AD Password (Hash) Sync
Next Article : Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain
As I am exploring the Azure Identity and Access Management (IAM) in a deep level. Please let me know if I missed anything important or if my understanding is not up to mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂
good