I have to say, since joining Microsoft I talk “as-a-Service” almost every day. Among all of the cool PaaS capabilities you will find Azure Active Directory (AAD).
Before diving in, let’s all be on the same page here – I’m not going to deploy any domain controller or run DCPROMO on a VM god forbidden, it is all about the PaaS ladies and gents 🙂 .
This will be the first out of three posts around this topic:
- Azure Active Directory Services as-a-Service – Prerequisites
- Azure Active Directory Services as-a-Service – Joining a Domain
- Delete Azure Active Directory Services Directory
The idea for this post came from Mr. Ido Katz who is an Azure MVP at one of the local partners here in Israel. He wrote a short post on this topic which I’ve decided to extend a bit and touch on more details.
Disclaimer: I know this sucks but AAD is still not available in the new Azure portal. We are working on it :-).
Also, my assumption is you don’t have Azure Active Directory created yet, obviously.
So, the first step will be to create one – pretty straight forward. In my case, the domain name is “azurexlab.onmicrosoft.com”.
In order for this coolness to work, we need to do some prep first which includes:
- Create dedicated Azure AD Domain Services VNet
- Create the “AAD DC Administrators” group
- Add a user to this group which will authorize it for adding a Windows machines to your onmicrosoft.com domain.
- Reset the user password
- Enabling Azure AD Domain Services
OK let’s get to work and create a custom Classic VNet.
Leave everything blank for now, we will come back to DNS settings in the next post.
The next part is really up for you to decide. In my case I’ve changed the address space to 22.214.171.124/26 and left the subnet name with the default one.
In production, a better practice will be to do some subnets splitting and match those to your workloads tiers such as Databases, Dev, Web, etc.
Great! The next step is to create the “AAD DC Administrators” domain security group. Go to your new directory Groups page and create it.
Assign the user with the Global Admin role.
Hit the Create button and save the temporary password in notepad, we will need it in a second.
Good job. Now, go back to the group we’ve created and add the user as a member.
In the next post, this user will be used for joining the Windows machine to the domain but in order for us to use it, we need to assign it a permanent password first.
Logout from the Azure Management Portal and login with the new user and the temporary password. Change the password when asked.
After you are logged in you can safely logout, we are done with this user for now.
We are almost there J! The last prerequisite is to enable the Domain Services in the configurations page.
Under the domain services section, go ahead and enable Directory Services. Select the DNS Domain Name and the VNet we created earlier. Don’t forget to hit the Save button at the bottom of the page.
Now, you need to wait for the directory to get updated (15-30min). Once it will, go back to the configuration page where you will find your domain IP address. In order for machines to be able to join the domain, the VNet needs to be set with this IP as the DNS server which we will do in the next post.
Don’t worry about the password synchronization message for now, this is out of scope for what we are trying to do here.
I know, ton of prereq work but we are getting closer. Next post we will have a Windows machine joined to our shiny new Azure Active Directory, stay tuned…