Secure your Azure AD Domain Services managed domain

This article helps you secure your managed domain. You can turn off the usage of weak cipher suites and disable NTLM credential hash synchronization.

Install the required PowerShell modules

Install and configure Azure AD PowerShell

Follow the instructions in the article to install the Azure AD PowerShell module and connect to Azure AD.

Install and configure Azure PowerShell

Follow the instructions in the article to install the Azure PowerShell module and connect to your Azure subscription.

Disable weak cipher suites and NTLM credential hash synchronization

Use the following PowerShell script to:

  1. Disable NTLM v1 support on the managed domain.
  2. Disable the synchronization of NTLM password hashes from your on-premises AD.
  3. Disable TLS v1 on the managed domain.
// Login to your Azure AD tenant
Login-AzAccount

// Retrieve the Azure AD Domain Services resource.
$DomainServicesResource = Get-AzResource -ResourceType "Microsoft.AAD/DomainServices"

// 1. Disable NTLM v1 support on the managed domain.
// 2. Disable the synchronization of NTLM password hashes from
//    on-premises AD to Azure AD and Azure AD Domain Services
// 3. Disable TLS v1 on the managed domain.
$securitySettings = @{"DomainSecuritySettings"=@{"NtlmV1"="Disabled";"SyncNtlmPasswords"="Disabled";"TlsV1"="Disabled"}}

// Apply the settings to the managed domain.
Set-AzResource -Id $DomainServicesResource.ResourceId -Properties $securitySettings -Verbose -Force

Important

Users (and service accounts) cannot perform LDAP simple binds if you have disabled NTLM password hash synchronization on your Azure AD Domain Services instance. For more information on disabling NTLM password hash synchronization, read Secure your Azure AD DOmain Services managed domain.

Next steps