@Simon Burbery Your replies are completely unhelpful, there are tons of reasons that people may be using AADDS, this "legacy" option is there for a reason.
Have you even used it? if not, you shouldn't be commenting.
Reason why people still use it:
- Because you don't wan't to host an AD domain yourself
- Because you like AD
- Because AADDS is an out of the box ready AD
- Because you don't like MDM or are not rewady to work witj intune or any other MDM tool
- Because you like GPOs
- Because you have remote workers that need to authenticate via VPN to AADDS
- Because you have "legacy" applications (like Bitbucket DC, Jenkins, GLPI, etc ,etc) that use LDAPs to authenticate
- And most important of all, because you decided to have a serverless AD domain, and didn't research enough when doing it. (Because in the information page of the service doesn't specify some of the limitations). And now you have hundreds of people in the service, and changing the infrastructure and network design is not an option.
Reasons an account can get blocked and you need to unlock it (regardless of the policies):
- A user (or even a bot attack) locked and account via LDAPs
- A user forgot the password and locked the account in his windows device
- A "wrongly" published RDP access got under attack.
The only issues I have had with AADDS (non of them specified in the AADDS information website).
- Azure AD users are loctaed in the "ADDS Users" OU, these users can't be moved from OU so when applying GPOs, you have to manually exclude administrators via GPO Security Filtering and Delegation
- Domain functional level: when I first set it up, it was on Server 2012R2, Microsoft has recently updated to Server 2016 (Not a big issue, and Microsoft is upgrading it so, that's cool)
- You can't expand AD schema (For example if you need custom attributes)
- You can't unlock accounts (the main topic of this post) This was true, and apparently Microsoft listened to it's costumers and now it is possible to unlock users.
So, wrapping up.
- If you don't "understand the regulations" (as stated on your first reply) you shouldn't be replying.
- Your statement "most scenarios requiring Active Directory in Azure should not involve exposing the service to the internet" is not true.
- Your statement "Then you don't need the ability to manually unlock an account" Is BS, and administrator should always be able to lock/unlock an account.
- Your statement "I would suggest you are using the service in an unintended way" you know nothing about that person, network design, user schema design, policies, etc.
- Your statement "Out of date" I don't think in anyway AD is an out of date system, and it will be probably maintained for many many years yet.
- Your statement "I shudder at the thought of the AADDS team spending any amount of time to provide this feature!" - They did provide the feature
- Your statement "but I question why anyone would require this functionality - what is it you are doing that requires this? If you do require it, then I would suggest you have chosen the wrong solution." BS in so many levels, this solution is perfect and very useful in many scenarios.
- Your statement "Do you have on-premises AD and sync it to Azure AD? If so, your on-premises AD is the master of identity," Obviously not, he wouldn't be asking.
- This types of questions are made to get helpful answers not to get criticized, on what you are doing wrong.
I just read a meme, that perfectly applies to these responses.
"Every time I have a programming question that I need help with, I post the question on Reddit and then log in with another account and get a ridiculously wrong answer. People don't like to help others, but LOVE to correct others. It works 100% of the time."