Forum Discussion

bhushangawale's avatar
bhushangawale
Brass Contributor
May 04, 2020
Solved

WVD setup with Azure AD DS and Multiple Custom Domains

Hello everyone, need some guidance and views on WVD setup that we are thinking to provision   Azure subscription's Azure AD has multiple verified custom domains e.g. alpha.com, beta.com, gamma.com...
  • Mike Stephens's avatar
    Mike Stephens
    Jun 16, 2020

    bhushangawale 

    Multiple Custom Domains is different from Azure AD Domain Services. Custom domains are DNS domain names that you have associated with your Azure tenant.  Azure AD Domain Services is an Active Directory domain name hosted for you by Microsoft. It provides legacy authentication like LDAP, Kerberos, and NTLM. It also provides domain join capabilities ( not Azure AD Join) that is common with on-premises Active Directories.  The users created in the managed domain (Azure AD Domain Services) arrive through a one-way synchronization from Azure AD. All the users and groups in your tenant are synced in the managed domain and have the same user principal name as they do in Azure. So, it doesn't matter if they are from alpha, beta, or gamma domains. If the user has been created in your Azure AD Tenant (cloud user) or synced from your on-premises domains and forests through AAD Connect, then the user can authenticate to the managed domain (you just need to ensure those users have RDP access to the virtual machines or WVD sessions). 

     

    Hope that helps

    Mike Stephens

    Senior Program Manager

    Azure Identity

    IAM Core | Domain Services

     

Mike Stephens's avatar
Mike Stephens
Brass Contributor
Jul 06, 2020

Deleted  Newly created cloud users do not sync to the managed domain until the user has changed their password. In Azure, when you create a new user, the user is assigned a default password and is forced to change it on the next sign-in.  AAD DS will not sync the user until they change their password.  Password complexity is entirely handled on the Azure AD side. 

satishkv's avatar
satishkv
Copper Contributor
Jul 12, 2022
Hi Mike,
I have a question on similar set up that we have a AADDS with xyz.com and AVD sessions hosts are joined to it. we have custom domains with a.com, b.com and c.com so on each custom domain is for each customer of ours and we have different hostpools for each of them assignments also done according to their relative custom domain name ID. now the question is we do not want user of company a be able to check the Azure AD or list Azure AD users from even PowerShell, I did conditional access policy by which I could completely block access but can we do a scope by which the users of company A can only see their users may be by PowerShell and for company B user he can only see their company B users. Let me know if this is making sense or a Tenant each for one company would be ideal.
P.S. Company users are external users.

Resources