Requirement to have an on-prem AD


Looking at the documentation, it seems an on premise AD is required for Windows Virtual desktop in Azure and Azure domain join is not supported. Can anyone confirm if that's definitely the case? It seems poor to have a new cloud service launched that has a dependency on on-prem AD. 

37 Replies

@gerry_1974 gerry_1974  Right now, that seems to be the case. In my proof of concept environment, I am running an AD DS server in my Azure tenant, then joining my host pool to that domain through the Windows Virtual Desktop offering. Although at first I was still getting failures with my deployment, even with the AD DS domain existing and the session hosts successfully joining. What fixed this for me, was connecting my AD DS server to AD Connect. I think AD Connect has to be actively syncing and connected to Azure AD for this to work right now due to the interaction it has with the Azure AD users (granting them access to the pool, etc). I went through this bit-by-bit and this is what got me a working deployment (DSC failures on the session host otherwise). 



on-prem AD is not required.

AD requirements:
Option 1: Domain controller that is synchronized with Azure Active Directory. The domain controller can be on-prem or in cloud. To synchronize with Azure Active Directory install Azure Active Directory Connect.
Option 2: Azure AD Domain Services domain in Azure (automatically synced with Azure Active Directory)
Does appear to be the case, however I did deploy using Azure ad domain services on a vnet and on my existing on premise with Azure ad connect I followed these steps to sync the password hashes

@Josh Bender

I don't understand your response.  Per


Your infrastructure needs the following things to support Windows Virtual Desktop:

  • An Azure Active Directory
  • A Windows Server Active Directory in sync with Azure Active Directory. This can be enabled through:
    • Azure AD Connect
    • Azure AD Domain Services
  • An Azure subscription, containing a virtual network that either contains or is connected to the Windows Server Active Directory

The Azure virtual machines you create for Windows Virtual Desktop must be:


I would like to avoid any and all on-premises requirements and simply have an Azure Active Directory with Azure Active Directory Domain Services enabled with Windows Virtual Desktop virtual machines automatically domain-joined to that instance.  Completely cloud.  Nothing physical.


Is this possible ?

@Ron Howe 

Yes.  This is possible.  Josh was correct.


If you want cloud-only, you can either stand up a couple of DC's on VM's in the cloud, or use Azure Active Directory Domain Services, with either synced with Azure AD.  Either will work.


@Mike Amox 


Thanks, Mike.


Am I misunderstanding the documentation?  Or is the documentation inaccurate or poorly worded?

@Ron Howe 


A bit of both?  :)

The documentation says:

A Windows Server Active Directory in sync with Azure Active Directory. This can be enabled through:

  • Azure AD Connect
  • Azure AD Domain Services


The first (AD connect) is on-prem or cloud DC's you build yourself.

The second is telling you can forgo that and use Azure AD Domain Services (and won't have to configure AD connect to boot)


Arguably, this isn't clear enough, as it does leave room for confusion, and doesn't explicitly spell out each option for hybrid and cloud-only.

@Mike Amox 


What about this part?


The Azure virtual machines you create for Windows Virtual Desktop must be:


@Ron Howe 

Hybrid-join means joining the machine to Active Directory, and then having those device objects synced with Azure AD Connect to Azure AD (with writeback).  One of a few ways of accomplishing this is joining the machine to a domain created in Azure Active Directory Domain Services (AAD-DS) - as that is Active Directory as a service, which is automatically synced to an Azure AD that you configure when you set up AAD-DS.


Note: Azure Active Directory (Azure AD) is not the same thing as Azure Active Directory Domain Services (


While it is possible to join Windows 10 machines directly to Azure AD, and there are many great reasons to do that rather than joining or hybrid-joining with an Active Directory domain (particularly in a modern management environment), it is not supported for Windows Virtual Desktop.  The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain.



"The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain."

That means an on-premise Active Directory instance? Or can that be Azure Active Directory Domain Services?

I guess I'll just have to try it out.

@Ron Howe I got it to work with only Azure AD and Azure AD DS together. 

I started with an Azure AD and added/verified a custom domain.

I created an admin in this custom domain.

I then added Azure AD DS referring to the custom domain

I changed the password of my domain admin to allow it to synch with Azure AD DS

I verified that I could join a workgroup windows server to Azure AD DS with my admin 

Adding the host pool to the domain and adding users to the domain worked fine.

Testing to connect with assigned users worked ok 

No need for any on premise domain in my case.

So i have on premise AD with AD connect syncing to Azure AD.  Then i created an Azure AD Domain instance and bound it to a VNET and then used that network to connect my Windows Virtual Desktop to and join that domain.  So its not joining azure AD directly but a fully synced Azure AD Domain services which is syncing with Azure AD.  So technically you arent joining Azure AD natively.


You don't need to actually have the Azure AD and the local Active Directory synced at all (at least with regards to AD Connect). I was able to get everything moving by just adding the Azure AD UPN Suffix (e.g. <tenantname> to my Local Active Directory and creating a user whose UPN matches my Azure AD User (e.g. <user>@<tenantname> 


Yes, I ended up being prompted twice for credentials, once for opening the feed and again for logging into the server, but the end result was a successful connection without having to Sync the ADs.

That's a hybrid domain join, as you joined and active directory domain, not an Azure AD join. That is supported.

@smithanc : If this works right now, then great! However, we only support when there is a true synchronization between Azure AD and the local Windows Server AD: either through Azure AD Connect, Azure AD Domain Services, or through federation.

@christianmontoya Understood but hopefully you extend support to other models such as the one I have done in my PoC. Otherwise, my main use case right now for WVD is broken as I am looking to use WVD to provide VM access to isolated VMs that are located in a Azure VNET which does not have any public IP address associated to any NIC card within that VNET.


We looked into using RDS with Azure AD Application Proxy but ran into a blocker that it only worked with ActiveX and therefore only on Windows Machines running IE 11.


Otherwise, we will have to turn to the Citrix cloud.

@Mike Amox I currently have on premise AD synced to Azure AD with AAD Connect so right now this will work. I am in the process of migrating all workstations to AAD with the goal of decommissioning AD. All device & application management will be via cloud management tools. While I appreciate I could setup AAD DS this still requires domain joined or hybrid join, not something I am after & get the impression others are the same.


Do you know if Microsoft has on the road map to support AAD joined devices only for WVD? 



@Mike AmoxI have just started working with Azure AD and now WVD. The future plans are WVD for a large percentage of our users. Right now i can't get the WVD to connect to AD. We have a hybrid AD with AD connect, but I don't have a DC in Azure or AAD DS currently. From what I have been reading I will have to set one of those up for WVD to join the domain. Correct? Or an Azure VPN to on-prem network. Ultimate goal is 100% cloud in the near future.

@Roger_Cox : That is correct, you will either need to create an instance of Azure AD Domain Services or create a VPN/ExpressRoute to the on-prem network.


We have gotten similar feedback of being "100% cloud" and we have an item in our backlog to support Azure AD Join VMs.



Hi, I am just curious how did you get it to work with AAD DS . My Deployment keeps on failing on 

/dscextension with the error:

" PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."


Everywhere i been searching is saying its not possible with AADDS.


thanks for the help


@Stavros Mitchell 

Hi Stavros,


I do not think I did anything special. I simply followed the steps to add AADDS in a very detailed fashion. (I assume you also have done that and verified that you can join a computer to the domain)


FYI: I am using 2016 datacenter as the base for my session host image. 


I then followed the detailed steps in Tutorial.

(Go back and re-read and make sure you have not missed any steps.)


FYI: I used the following options

- Shared desktop

- 2 VM

- Pretty much default all the way.


I have tested many times and never had any problems even when moving to ARM Template use.


Again - very hard to speculate on what problem you may be hitting, but maybe it is not related AADDS use.


Hope this can help in some small way.






Thanks for your quick reply the only thing i am doing different is i was using the windows 10 enterprise mulit session instead of you are using server 2016 datacenter wonder if that could be causing the issue

@Stavros Mitchell : It should not matter which OS you're basing it off of. With the error you're hitting, make sure that you can install the PowerShell locally and connect with the same username or service principal. If it's a user and requires MFA, then deploying the Azure Marketplace offering will fail because MFA cannot happen in the background.

@Josh Bender 


Thanks. I have this working now using Azure ADDS. Documentation seemed a bit unclear when I first looked at it

How were you able to get the machine to connect to the domain mine failed on domain join wondering If i can somehow do it manually


@gerry_1974  Did you get it to work without need of on-premise AD or AD Connect?

I keep getting the following deployment fail error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'joindomain'. Error message: \\\"Exception(s) occured while joining Domain ''\\\".\"\r\n }\r\n ]\r\n }\r\n}"}]}

@Alberto Rodriguez : Do you have access to those VMs? If you can RDP into them, please look at C:\Packages and navigate down to the JsonADDomainExtension folder, you should be able to find a "status" file (or equivalent). If you open it up, it will typically give you the reason that it errored out. Unfortunately, I do not have too many details at the moment because the documentation on the extension is fairly light.

@christianmontoya [{"version":"1","timestampUTC":"2019-05-02T15:37:19.805151Z","status":{"name":"ADDomainExtension","operation":"Join Domain/Workgroup","status":"error","code":1,"
formattedMessage":{"lang":"en-US","message":"Exception(s) occured while joining Domain ''"},"substatus":[{"name":"JoinDomainException for Option 3 meaning 'User Specified'","status":"error","code":1,"formattedMessage":{"lang":"en-US","message":"ERROR - Failed to join domain='', ou='', user='', option='NetSetupJoinDomain, NetSetupAcctCreate' (#3 meaning 'User Specified'). Error code 1326"}},{"name":"JoinDomainException for Option 1 meaning 'User Specified without NetSetupAcctCreate'","status":"error","code":1,"formattedMessage":{"lang":"en-US","message":"ERROR - Failed to join domain='', ou='', user='', option='NetSetupJoinDomain'
(#1 meaning 'User Specified without NetSetupAcctCreate'). Error code 1909"}}]}}]



This worked for me - after adding a custom domain and changing the admin user from the address.



I think you are getting this error because the User which you provided as tenant Admin while deploying the host pool is not yet added to Windows Virtual Desktop Application as a tenant creator.
You can check if the user is already added from here:
Go to Active Directory -> Enterprise Applications -> Windows Virtual Desktop -> Users and groups

I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication and having Domain services running in Azure?


I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication with AD Connect and having Domain services running in Azure?


I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication with AD Connect and having Domain services running in Azure?


@LA99-999_ : If you are using password hash sync, you should be good to go. Because you are already syncing the password hashes, you can choose either of the two options for your Active Directory in your virtual network:

a. Connect your network to your on-premises infrastructure with an ExpressRoute or Site-to-Site VPN, then domain-join your VMs to that Active Directory.

b. Enable Azure AD Domain Services in your Azure subscription, then domain-join your VMs to that Active Directory.

@christianmontoya @Josh Bender @Mike Amox 
If we choose option "b.", does the scenario support hybrid Azure AD join for the VMs joined to Azure AD DS ?
According to documentation for Azure AD Domain Services it is not supported to sync from Azure AD DS to Azure AD.


Any news on support for "100% cloud"? Would love to see this :)

@Marcel Biebricher : No, it does not. VMs domain-joined to the Azure AD DS instance cannot be configured to be hybrid, as Azure AD DS does not allow that.


We're continuing to investigate the "100% cloud" scenario, but nothing to report at this time.

Related Conversations
A problem with the Zoom level of a Tab
Tavory in Discussions on
9 Replies
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Active Directory - ACL question
CHobbs3733 in Tech Talks Forum on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies