Microsoft Azure

What is Azure AD Domain Services?

Confused about the difference between Azure Active Directory (AAD) and Azure AD Domain Services? In today’s Ask the Admin, I’ll give a rundown of the features of Azure AD Domain Services and how it differs from Azure AD.

Azure Active Directory (AAD) has been part of Microsoft’s cloud platform for a long time and provides the authentication solution not only for Azure itself, but also Office 365, third-party apps, and for apps that you deploy in the cloud. When it comes to integrating on premise Active Directory (AD) with the cloud, Azure AD allows you to either maintain a separate directory of user accounts in the cloud, sync accounts between on premise AD and the cloud, or use AD Federation Services (ADFS) to authenticate on premise AD users to cloud apps.

In mid-October, Microsoft announced a preview of a new service called Azure AD Domain Services, which extends the capabilities of Azure AD to provide native domain-join, Group Policy, Kerberos and NTLM authentication, and Lightweight Directory Access Protocol (LDAP) access to the directory (read and bind; write coming soon). As a result, it’s now feasible to get most of the features of a full on site AD deployment in the cloud without installing domain controllers (DCs) in Azure VMs or setting up a site-to-site VPN. Additionally, deploying Azure AD Domain Services relieves organizations of having to maintain, secure and patch DCs in the cloud.

How does Azure AD Domain Services work?

Azure AD Domain Services can be enabled for existing AAD tenants and made available to Azure virtual networks, where VMs can then be joined to and managed by the new domain. That sounds easy enough for a cloud-only enterprise, but many organizations have more complicated arrangements.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts.

What is Azure AD Domain Services
Enable Azure Active Directory Domain Services in the management portal (Image Credit: Russell Smith)

Where a hybrid solution has been deployed connecting an on premise AD domain with an Azure AD tenant, the procedure for enabling Azure AD Domain Services for the Azure AD tenant is the same as for the cloud-only enterprise, but it’s important to note that for security reasons, the domain deployed in the cloud is completely separate from the on premise domain.

Credential hashes

If your organization has a cloud-only tenant, users needing to log in to devices joined to the domain will have to reset their AAD passwords. Azure AD Domain Services requires legacy NTLM and Kerberos credential hashes, and by default these are not generated by AAD. Once Azure AD Domain Services is enabled for an AAD tenant, the next time users reset their passwords, a legacy credential hash will be created and passed to Azure AD DS.

In a hybrid environment, you must be using the latest version of AD Connect, which is the software that keeps on premise domains in sync with AAD, and then enable full password synchronization. Naturally, syncing legacy credential hashes to the cloud may not be desirable in every organization, but is an important consideration for Azure AD DS.

Pricing and availability

Azure AD Domain Services is available now in preview for all three AAD tiers: Free, Basic, and Premium. The service is billed per hour and the rate depends on the number of user, group, and computer objects in your Azure AD tenant.

There are several pricing tiers available, but during preview only the 5,001 to 25,000 tier is being offered, with a fifty percent discount on the general availability price. For more information on Azure AD DS pricing, see Microsoft’s website here.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: