What is Azure AD Domain Services?

Confused about the difference between Azure Active Directory (AAD) and Azure AD Domain Services? In today’s Ask the Admin, I’ll give a rundown of the features of Azure AD Domain Services and how it differs from Azure AD.

Azure Active Directory (AAD) has been part of Microsoft’s cloud platform for a long time and provides the authentication solution not only for Azure itself, but also Office 365, third-party apps, and for apps that you deploy in the cloud. When it comes to integrating on premise Active Directory (AD) with the cloud, Azure AD allows you to either maintain a separate directory of user accounts in the cloud, sync accounts between on premise AD and the cloud, or use AD Federation Services (ADFS) to authenticate on premise AD users to cloud apps.

In mid-October, Microsoft announced a preview of a new service called Azure AD Domain Services, which extends the capabilities of Azure AD to provide native domain-join, Group Policy, Kerberos and NTLM authentication, and Lightweight Directory Access Protocol (LDAP) access to the directory (read and bind; write coming soon). As a result, it’s now feasible to get most of the features of a full on site AD deployment in the cloud without installing domain controllers (DCs) in Azure VMs or setting up a site-to-site VPN. Additionally, deploying Azure AD Domain Services relieves organizations of having to maintain, secure and patch DCs in the cloud.

How does Azure AD Domain Services work?

Azure AD Domain Services can be enabled for existing AAD tenants and made available to Azure virtual networks, where VMs can then be joined to and managed by the new domain. That sounds easy enough for a cloud-only enterprise, but many organizations have more complicated arrangements.

What is Azure AD Domain Services
Enable Azure Active Directory Domain Services in the management portal (Image Credit: Russell Smith)

Where a hybrid solution has been deployed connecting an on premise AD domain with an Azure AD tenant, the procedure for enabling Azure AD Domain Services for the Azure AD tenant is the same as for the cloud-only enterprise, but it’s important to note that for security reasons, the domain deployed in the cloud is completely separate from the on premise domain.

Credential hashes

If your organization has a cloud-only tenant, users needing to log in to devices joined to the domain will have to reset their AAD passwords. Azure AD Domain Services requires legacy NTLM and Kerberos credential hashes, and by default these are not generated by AAD. Once Azure AD Domain Services is enabled for an AAD tenant, the next time users reset their passwords, a legacy credential hash will be created and passed to Azure AD DS.

In a hybrid environment, you must be using the latest version of AD Connect, which is the software that keeps on premise domains in sync with AAD, and then enable full password synchronization. Naturally, syncing legacy credential hashes to the cloud may not be desirable in every organization, but is an important consideration for Azure AD DS.

Pricing and availability

Azure AD Domain Services is available now in preview for all three AAD tiers: Free, Basic, and Premium. The service is billed per hour and the rate depends on the number of user, group, and computer objects in your Azure AD tenant.

There are several pricing tiers available, but during preview only the 5,001 to 25,000 tier is being offered, with a fifty percent discount on the general availability price. For more information on Azure AD DS pricing, see Microsoft’s website here.