question

KThiru08 avatar image
0 Votes"
KThiru08 asked peace-9159 edited

Access on-premise active directory from Azure functions/logic apps

I'm in the process of integrating the HR system and Active directory which involves creating new users, updating existing user attributes, and disabling users in AD.

We have an on-premise Active Directory and use the Azure AD Connect to sync the Azure Active directory. We also have a domain controller in Azure VM. I have checked with the (on-premises data gateway - logic app) and (hybrid connection - azure function) both don't support on-premise active directory.

Any idea or workaround will be helpful to connect on-premise active directory or Azure VM domain controller from azure functions/logic apps etc.

azure-functionsazure-logic-appsazure-ad-domain-servicesazure-automation
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Maguitinoco avatar image Maguitinoco ·

I have Azure Automation to run in a hybrid worker to be able to have a user report in my AD, but I can't connect my runbook with AD, I've tried to connect with Credentials, run as account and nothing I can't get the list. you have a command example in PowerShell where I can get my report?
I don't want to change anything in AD just get a report of accounts expiration.

0 Votes 0 ·

3 Answers

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered Maguitinoco commented

Hi @KThiru08 ,

it's "complex" but it is possible to start an Azure Automation Runbook with an Azure Function:
https://wintellisys.com/use-azure-function-to-start-azure-automation-runbook/

Azure Automation is able to run on a Hybrid Worker and this way you are able to access an on-premises AD:
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 8
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KThiru08 avatar image KThiru08 ·

Hi @AndreasBaumgarten

Thanks for your response. How do we connect active directory domain controller in Azure VM managed domain and update user or new user in AD.

0 Votes 0 ·
AndreasBaumgarten avatar image AndreasBaumgarten KThiru08 ·

Hi @KThiru08 ,

to manage the on-premises AD you need an Azure Automation Hybrid Worker running in the on-premises infrastructure:
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
The Hybrid Worker will execute Azure Automation Runbooks in the on-premises environment.

In Azure Automation PowerShell runbooks could be created for the tasks you require. For instance "Create new user in AD", "Update existing user in AD". It's possible to run the Azure Automation runbooks on the Hybrid Worker on-premises to do manage the users in your on-premises AD.

The Azure Automation runbooks could be triggered by an Azure Function like described in the link above.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

1 Vote 1 ·
KThiru08 avatar image KThiru08 AndreasBaumgarten ·

Thanks @AndreasBaumgarten for the details to connect the on-premises active directory. But my question is how to connect the same active directory in Azure Virtual Machine instead of on-premises.

0 Votes 0 ·
Show more comments
Maguitinoco avatar image Maguitinoco ·

Hi Andreas,

I have Azure Automation to run in a hybrid worker to be able to have a user report in my AD, but I can't connect my runbook with AD, I've tried to connect with Credentials, run as account and nothing I can't get the list. you have a command example in PowerShell where I can get my report?
I don't want to change anything in AD just get a report of accounts expiration.

0 Votes 0 ·
MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered KThiru08 commented

Hi @KThiru08

You can not connect to your on premise active directory using azure function/logic app. But you can use Microsoft Graph API for Azure Active Directory. You can call the REST API endpoint from azure function/logic app.

AFAIK sync is only possible from On-prem AD to Azure AD and vice versa only few attributes (password, exchange password) that are synced back but not entire user object. If you are looking that you can create user in Azure AD and that can sync with on prem AD then that is not possible.

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KThiru08 avatar image KThiru08 ·

Thanks @MayankBargali-MSFT for your response. I can understand it's not possible to connect on-prem AD from Azure function but can you let me know Is it possible to connect Azure VM - AD DS from Azure function, if yes please let me know how?

0 Votes 0 ·
MayankBargali-MSFT avatar image MayankBargali-MSFT KThiru08 ·

@KThiru08 I have added azure-ad-domain-services tag to confirm if this can be exposed as API from their end. If yes in that case you can call the REST API from Azure functions.
Azure function don't have any trigger that can be used with AADS. Only available trigger and binding for function are listed here.

1 Vote 1 ·
KThiru08 avatar image KThiru08 MayankBargali-MSFT ·

@MayankBargali-MSFT I don't think public API will be exposed in AD DS. Is it possible to connect using a Virtual network and private endpoint from azure function.

0 Votes 0 ·
Show more comments
KThiru08 avatar image
0 Votes"
KThiru08 answered peace-9159 edited

I have connected the active directory in on-prem and azure VM using vnet connection in azure function and it worked perfectly.

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FArab-1764 avatar image FArab-1764 ·

That's great @KThiru08, trying similar POC, any link you can point me to showing how you achieved this would be really helpful please?

1 Vote 1 ·
Prasunakakani-1478 avatar image Prasunakakani-1478 ·

Hi @KThiru08 , Glad to hear that you were able to connect the on-Prem AD from Azure Function, I am facing similar issue as the AD domain would not be recognized by the Azure function app, it always throw LDAP server not operational . Is it possible if u can share some pointers how it is fixed from your end.
Thanks.

1 Vote 1 ·
Shiva-2030 avatar image Shiva-2030 ·

Hello @KThiru08 Can you please explain, How your azure function is sending/receiving parameters to and from Azure VM.

0 Votes 0 ·
peace-9159 avatar image peace-9159 ·

@KThiru08 : Are you deployed azure functions in "on-prem" to create a AD users etc? Will that not be a problem to expose your company code in the customer tenant?

We have a similar scenario to establish a connection with domain controller virtual machine (Customer On-premises tenant) for performing active directory operations such as add/modify/delete AD user from the web application (Management tenant).

  • Customer Tenant Pre-Conditions:

Customer don't allow performing below options

  • VNET to VNET peering ( To connect from the tenant where application code is hosted to the Customer on-premises AD)

  • VPN Gateway


  • PowerShell remoting


0 Votes 0 ·