How to Use VMs with AzureAD

TanakaraBotamoty 1 Reputation point
2021-08-23T07:33:56.087+00:00

Thank you very much for your help.
I'm considering the following configuration for building a system using Azure.

[On-premise]

AD server (domain controller)

ADConnect

[Cloud: Azure]

AzureAD

AzureVM

I would like to know if it is possible to link the existing on-premise AD and AzureAD and have the VM join the domain.

The cloud side is newly built and the connection method between on-prem and Azure is Internet VPN.

In my research, I found an article that said that VMs cannot join a domain without AzureADDS.

However, I have not been able to find any literature that explicitly states whether or not this is possible.

I would appreciate it if you could let me know if the above is feasible or not, and if possible, what the evidence is.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,201 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,666 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,556 Reputation points
    2021-09-21T20:16:47.297+00:00

    Hello @TanakaraBotamoty ,

    Thanks for reaching out.

    There are two way to achieve in this scenario by using either "Login to Windows virtual machine in Azure using Azure Active Directory authentication" or using "Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain" when you have hybrid Identity setup with Azure AD in place.

    Login to Windows virtual machine in Azure using Azure Active Directory authentication:

    This method leverage Azure AD join concept to integrate with Azure Active Directory (AD) for authentication, this feature is currently supported only with following Windows distributions (Windows Server 2019 Datacenter / Windows 10 1809 and later ).

    There are many security benefits of using AAD based authentication such as "Use your corporate AD credentials to login to Windows VMs in Azure" , "Login to Windows VMs with Azure Active Directory also works for customers that use Federation Services." etc..., To learn more, refer.

    This feature is modern way of joining device to Azure AD directly and does provides user sign-in behavior also SSO experience but if you have any legacy applications which depends on LDAP, Kerberos/NTLM authentication then you may have setup AzureADDS to domain join devices as explained below.

    Join a Windows Server virtual machine to an Azure Active Directory Domain Services managed domain:

    This method similar to traditional Active Directory setup, Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

    When you setup AzureADDS then two Windows Server domain controllers (DCs) are deployed into your selected Azure region. This deployment of DCs is known as a replica set.

    So you can join Virtual Machine (Windows as well Linux ) part of managed domain and then authenticate using corporate AD credentials to login.

    To learn more, refer:

    Join VMs to AzureADDS
    What is Azure AD Domain Services

    Depends on use cases of your environment, you could leverage either of above options, and these two options works without even having Internet VPN with on-premises environment as long as you have setup Hybrid Identity with Azure AD.

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.