Access on-premise active directory from Azure functions/logic apps

K Thiru 21

I'm in the process of integrating the HR system and Active directory which involves creating new users, updating existing user attributes, and disabling users in AD.

We have an on-premise Active Directory and use the Azure AD Connect to sync the Azure Active directory. We also have a domain controller in Azure VM. I have checked with the (on-premises data gateway - logic app) and (hybrid connection - azure function) both don't support on-premise active directory.

Any idea or workaround will be helpful to connect on-premise active directory or Azure VM domain controller from azure functions/logic apps etc.

Maguitinoco 21 Reputation points

2021-10-27T20:25:36.087+00:00

I have Azure Automation to run in a hybrid worker to be able to have a user report in my AD, but I can't connect my runbook with AD, I've tried to connect with Credentials, run as account and nothing I can't get the list. you have a command example in PowerShell where I can get my report?
I don't want to change anything in AD just get a report of accounts expiration.
Hasan Rizvi 0 Reputation points

2023-09-11T14:21:44.21+00:00

Hi @K Thiru Can you please explain how you have resolved this, as I am also working on how we can integrate from Logic App/ Azure Function to a On Premise AD and create/update a user object in AD.

Accepted answer

Andreas Baumgarten 96,361 Reputation points MVP

2021-06-11T20:03:58.127+00:00

Hi @K Thiru ,

it's "complex" but it is possible to start an Azure Automation Runbook with an Azure Function:
https://wintellisys.com/use-azure-function-to-start-azure-automation-runbook/

Azure Automation is able to run on a Hybrid Worker and this way you are able to access an on-premises AD:
https://learn.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Please sign in to rate this answer.
K Thiru 21 Reputation points

2021-06-15T19:20:53.653+00:00

Hi @Andreas Baumgarten

Thanks for your response. How do we connect active directory domain controller in Azure VM managed domain and update user or new user in AD.

Andreas Baumgarten 96,361 Reputation points MVP

2021-06-15T19:31:39.653+00:00

Hi @K Thiru ,

to manage the on-premises AD you need an Azure Automation Hybrid Worker running in the on-premises infrastructure:
https://learn.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
The Hybrid Worker will execute Azure Automation Runbooks in the on-premises environment.

In Azure Automation PowerShell runbooks could be created for the tasks you require. For instance "Create new user in AD", "Update existing user in AD". It's possible to run the Azure Automation runbooks on the Hybrid Worker on-premises to do manage the users in your on-premises AD.

The Azure Automation runbooks could be triggered by an Azure Function like described in the link above.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

K Thiru 21 Reputation points

2021-06-15T20:57:50.53+00:00

Thanks @Andreas Baumgarten for the details to connect the on-premises active directory. But my question is how to connect the same active directory in Azure Virtual Machine instead of on-premises.

Andreas Baumgarten 96,361 Reputation points MVP

2021-06-15T21:01:35.653+00:00

Hi @K Thiru ,

same AD means a replicated AD domain controller Azure VM?

It should be possible to run a Hybrid Worker on an Azure VM as well. Never tried this myself but I don't see why it should not be possible.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

K Thiru 21 Reputation points

2021-06-16T11:53:07.177+00:00

Hi @Andreas Baumgarten , Thanks for the response.

Yes it's a replicated AD domain controller, currently we have two AD domain controllers in on-premises and two AD domain controllers in Azure VM (domain joined).

In future, we will be moving all the domain controllers to Azure VM. So I'm planning to do the integration with Azure VM instead of on-premises.

As you mentioned this automation runbook with the hybrid worker is a bit complex, I'm just thinking of other ways as mentioned below, please give your suggestion as I'm totally new to Azure.

Is it possible to connect the AD domain controller in Azure VM using Vnet & private endpoints?

Is it possible to open port and whitelist azure functions IP range in Azure VM to access directly?

once again thanks for your help.

Thanks,
Kamesh

Andreas Baumgarten 96,361 Reputation points MVP

2021-06-16T13:30:13.1+00:00

Hi @K Thiru ,

I am not using Azure Functions for on-premises AD User Management at all.
I would recommend using Azure Automation instead of Azure Function.

II am not sure if Azure Functions are able to access "in-guest services" like AD inside a VM.
But Azure Automation with Hybrid Worker is able to do this.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

K Thiru 21 Reputation points

2021-06-16T14:51:45.02+00:00

Thanks @Andreas Baumgarten for all your support.

Maguitinoco 21 Reputation points

2021-10-27T20:23:26.763+00:00

Hi Andreas,

I have Azure Automation to run in a hybrid worker to be able to have a user report in my AD, but I can't connect my runbook with AD, I've tried to connect with Credentials, run as account and nothing I can't get the list. you have a command example in PowerShell where I can get my report?
I don't want to change anything in AD just get a report of accounts expiration.
Sign in to comment

2 additional answers

MayankBargali-MSFT 68,476 Reputation points

2021-06-11T10:17:31.347+00:00

Hi @K Thiru

You can not connect to your on premise active directory using azure function/logic app. But you can use Microsoft Graph API for Azure Active Directory. You can call the REST API endpoint from azure function/logic app.

AFAIK sync is only possible from On-prem AD to Azure AD and vice versa only few attributes (password, exchange password) that are synced back but not entire user object. If you are looking that you can create user in Azure AD and that can sync with on prem AD then that is not possible.
Please sign in to rate this answer.
K Thiru 21 Reputation points

2021-06-11T15:57:15.997+00:00

Thanks @MayankBargali-MSFT for your response. I can understand it's not possible to connect on-prem AD from Azure function but can you let me know Is it possible to connect Azure VM - AD DS from Azure function, if yes please let me know how?

MayankBargali-MSFT 68,476 Reputation points

2021-06-11T16:23:03.183+00:00

@K Thiru I have added azure-ad-domain-services tag to confirm if this can be exposed as API from their end. If yes in that case you can call the REST API from Azure functions.
Azure function don't have any trigger that can be used with AADS. Only available trigger and binding for function are listed here.

K Thiru 21 Reputation points

2021-06-11T16:37:22.197+00:00

@MayankBargali-MSFT I don't think public API will be exposed in AD DS. Is it possible to connect using a Virtual network and private endpoint from azure function.

MayankBargali-MSFT 68,476 Reputation points

2021-06-11T17:00:07.843+00:00

@K Thiru No it would not be possible.

K Thiru 21 Reputation points

2021-06-11T18:11:46.28+00:00

@MayankBargali-MSFT so what are the possible ways to access user object in Azure AD DS?

Hasan Rizvi 0 Reputation points

2023-09-10T12:50:06.4966667+00:00

Hi @K Thiru Can you please tell us how you have resolved this. I am also working on the same.
Sign in to comment
K Thiru 21 Reputation points

2021-07-20T11:40:41.847+00:00

I have connected the active directory in on-prem and azure VM using vnet connection in azure function and it worked perfectly.
Please sign in to rate this answer.
FArab 6 Reputation points

2021-07-30T15:05:10.52+00:00

That's great @K Thiru , trying similar POC, any link you can point me to showing how you achieved this would be really helpful please?

Shiva 0 Reputation points

2021-09-03T20:21:37.997+00:00

Hello @K Thiru Can you please explain, How your azure function is sending/receiving parameters to and from Azure VM.

Prasuna kakani 6 Reputation points

2021-11-25T04:13:30.233+00:00

Hi @K Thiru , Glad to hear that you were able to connect the on-Prem AD from Azure Function, I am facing similar issue as the AD domain would not be recognized by the Azure function app, it always throw LDAP server not operational . Is it possible if u can share some pointers how it is fixed from your end.
Thanks.

peace 1 Reputation point

2022-03-03T21:17:34.683+00:00

@K Thiru : Are you deployed azure functions in "on-prem" to create a AD users etc? Will that not be a problem to expose your company code in the customer tenant?

We have a similar scenario to establish a connection with domain controller virtual machine (Customer On-premises tenant) for performing active directory operations such as add/modify/delete AD user from the web application (Management tenant).

Customer Tenant Pre-Conditions:

Customer don't allow performing below options

VNET to VNET peering ( To connect from the tenant where application code is hosted to the Customer on-premises AD)

VPN Gateway

PowerShell remoting

PS 376 Reputation points

2023-03-13T13:53:29.93+00:00

@K Thiru , do you mind sharing the process you followed to connect to on-prem AD please?

Thank you!
Sign in to comment