question

MattBarron-2814 avatar image
0 Votes"
MattBarron-2814 asked sikumars commented

Domain Service Account in Azure?

I have an API running in IIS on an Azure VM on a virtual network that is accessed via Azure VPN. This API accesses a database, also hosted on an Azure VM (SQL Server on Azure Virtual Machines). Both machines are attached to an Azure Active Directory Domain Services instance.

If I was running this account on-premises I'd create a service account in Active Directory, and run the API using that account (in the Application Pool in IIS), and then give the service account the appropriate access to the database.

Is there any way to achieve this using Azure Active Directory Domain Services?

Many thanks in advance!

azure-active-directoryazure-ad-domain-services
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image sikumars ·

@MattBarron-2814,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered

Hello @MattBarron-2814,

Thanks for reaching out.

From your query, I understand that you have IIS based application running on Azure VM which joined to Azure Active Directory Domain Services instance hence wanted to know if service account can be used to run services.

Azure AD DS lets you continue to use service accounts in the same way. You can choose to use the same service account that is synchronized from your on-premises directory to Azure AD or create a custom OU and then create a separate service account in that OU. With either approach, applications continue to function the same way to make authenticated calls to other tiers and services.

As managed domains are locked down and managed by Microsoft, there are some considerations when using service accounts:

  • Create service accounts in custom organizational units (OU) on the managed domain or same service account that is synchronized from your on-premises directory to Azure AD.

  • You can't create a service account in the built-in AADDC Users or AADDC Computers OUs.

  • Instead, create a custom OU in the managed domain and then create service accounts in that custom OU.

To learn more about, refer following links:
Migrate an on-premises service or daemon application to Azure: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/scenarios#migrate-an-on-premises-service-or-daemon-application-to-azure

Using service accounts in Azure AD DS: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-gmsa#using-service-accounts-in-azure-ad-ds

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.