Solution Idea
If you'd like to see us expand this article with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know with GitHub Feedback!
This solution idea shows how you can deploy Azure Virtual Desktop (AVD) rapidly in a minimum viable product (MVP) or a proof of concept (PoC) environment with the use of Azure Active Directory Domain Services (Azure AD DS). Use this idea to extend on-premises multi-forest AD DS identities to Azure without private connectivity and also support legacy authentication.
Potential use cases
This solution idea also applies to mergers and acquisitions, organization rebranding, and multiple on-premises identities requirements.
Architecture
Dataflow
The following steps show how the data flows in this architecture in the form of identity.
- Complex hybrid on-premises Active Directory environments are present, with two or more AD forests. Domains live in separate forests, with distinct UPN suffixes. For example, companyA.local with UPN suffix companyA.com, companyB.local with UPN suffix CompanyB.com, and an additional UPN suffix newcompanyAB.com.
- Instead of using customer-managed domain controllers whether on-premises or on Azure (that is, Azure IaaS domain controllers), the two cloud-managed domain controllers provided by Azure AD DS are used.
- Azure AD Connect syncs users from both CompanyA.com and CompanyB.com to the Azure AD tenant (NewCompanyAB.onmicrosoft.com). The user account is represented only once in Azure AD and private connectivity is not used.
- Users then sync from Azure AD to the managed Azure AD DS as a one-way sync.
- A custom and routable Azure AD DS domain name is created (aadds.newcompanyAB.com). The newcompanyAB.com is a registered domain to support LDAP certificates. It is generally recommended not to use non-routable domain names (such as, contoso.local) as it can cause issues with DNS resolution.
- The AVD session hosts join the Azure AD DS domain controllers.
- Host pools and app groups can be created in a separate subscription and spoke virtual network.
- Users are assigned to the app groups.
- Users sign in via AVD Desktop or web client with a format such as, john@companyA.com, jane@companyB.com, or joe@newcompanyAB.com, depending on the UPN suffix configured.
- Users are presented with their respective virtual desktops or apps. For example, joe@companyA.com will be presented with virtual desktops or apps in host pool A, jane@companyB will be presented with virtual desktops or apps in host pool B, and joe@newcompanyAB will be presented with virtual desktops or apps in host pool AB.
- The storage account (Azure Files used for FSLogix) is joined to the managed domain AD DS. The FSLogix user profiles are created in Azure Files shares.
Note
- For Group Policy requirements in Azure AD DS, you can install Group Policy Management tools on a Windows Server virtual machine that is joined to Azure AD DS.
- To extend GPO infrastructure for AVD from the on-premises domain controllers, manual export and import to Azure AD DS is required.
Components
Key technologies used to implement this architecture:
- Azure Active Directory
- Azure Active Directory Domain Services
- Azure Files
- Azure Virtual Desktop
- Virtual Network
Next steps
For more information, see these articles:
- Multiple AD forests architecture with Azure Virtual Desktop
- Azure Virtual Desktop for enterprises
- Azure AD Connect Topology
- Compare different Identity options
- Azure Virtual Desktop Documentation