Forum Discussion
Clarification on Azure AD DS domain suffix vs on-prem Domain syncing?
MicrosoftJohn Quile : To answer your questions:
- Yes, that is supported, as long as you enable Password Hash Synchronization (PSH), which allows the newly created Azure AD DS to verify credentials. If you do not want to enable PSH, then you can try out Azure AD DS's latest preview, which is resource forests.
- There's some Azure AD DS guidance here, so I would rather defer to that team's guidance than misspeak.
- Ultimately, Windows Virtual Desktop has two primary authentication prompts:
- Front-end Azure AD to download the feed / login to the client. If your Azure AD is set to federate, then authentication follows that. Everything would work like it normally would when challenged to Azure AD.
- Back-end Windows login. This is where it's important to set up the domain (or Azure AD DS correctly) so your users can enter those credentials to the VM like a normal RDP prompt, and so the VM can process those and perform the login.
Hope that all helps!
Thanks for your follow-up with that. So I definitely would want an easier logon process. For WVD I don't think we'd be seeing .rdp files or RDP connections but I may be wrong. But we have Okta and I believe they have a client that installs on systems to prompt for Okta MFA upon logging into an RDP session.
As for the Azure AD DS hybrid approach. When I go to create an AD DS instance and network, is it going to let me pick the same domain as the on-prem AD one that it's ultimately syncing from? Or does it haev to be a different unique one that doesn't factor into a user's username and that users would never see?
I wouldn't want users having to login as first.last@someothedomain.onmicrosoft.com or whatever, nor having to map their corp creds to different creds for SAML assertion.
Yes you can use any domain like you can on prem but best practice is to use a sub domain of your on prem domain to avoid confusion and DNS issues. You login to AADDS as domain\user (i.e. sub.domain.com\first.last where your AD user is typically first.last@domain.com).
The domain you have on prem is a completely different domain from what AADDS uses. They are two separate domains with different user GUIDs. You sync to Azure AD, Azure AD syncs to AADDS but they don't share the same NTLM GUID.
So does that mean a user logging into an Azure resource or WVD that's authenticating against Azure AD DS is having to type a different username?
What is the point of Azure AD Connect syncing to Azure AD and that syncing to Azure AD DS?
John.Doe@domainA.com syncs to Azure AD as John.Doe@domainA.com.Why does it have to be John.Doe@sub.domainA.com on the second sync to Azure AD DS? That's not a true "sync" as I understand it...?
