Forum Discussion

HandA's avatar
HandA
Brass Contributor
Mar 25, 2019
Solved

Requirement to have an on-prem AD

Looking at the documentation, it seems an on premise AD is required for Windows Virtual desktop in Azure and Azure domain join is not supported. Can anyone confirm if that's definitely the case? It s...
  • Josh Bender's avatar
    Josh Bender
    Mar 25, 2019

    HandA

    on-prem AD is not required.


    AD requirements:
    Option 1: Domain controller that is synchronized with Azure Active Directory. The domain controller can be on-prem or in cloud. To synchronize with Azure Active Directory install Azure Active Directory Connect.
    Option 2: Azure AD Domain Services domain in Azure (automatically synced with Azure Active Directory)
Mike Amox's avatar
Mike Amox
Icon for Microsoft rankMicrosoft
Mar 27, 2019

Ron Howe 

 

A bit of both?  :)

The documentation says:

A Windows Server Active Directory in sync with Azure Active Directory. This can be enabled through:

  • Azure AD Connect
  • Azure AD Domain Services

 

The first (AD connect) is on-prem or cloud DC's you build yourself.

The second is telling you can forgo that and use Azure AD Domain Services (and won't have to configure AD connect to boot)

 

Arguably, this isn't clear enough, as it does leave room for confusion, and doesn't explicitly spell out each option for hybrid and cloud-only.

Ron Howe's avatar
Ron Howe
Copper Contributor
Mar 27, 2019

Mike Amox 

 

What about this part?

 

The Azure virtual machines you create for Windows Virtual Desktop must be:

  • https://docs.microsoft.com/microsoft-desktop-optimization-pack/appv-v4/domain-joined-and-non-domain-joined-clients or https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan. Virtual machines can't be Azure AD-joined.

 

  • Mike Amox's avatar
    Mike Amox
    Icon for Microsoft rankMicrosoft
    Mar 27, 2019

    Ron Howe 

    Hybrid-join means joining the machine to Active Directory, and then having those device objects synced with Azure AD Connect to Azure AD (with writeback).  One of a few ways of accomplishing this is joining the machine to a domain created in Azure Active Directory Domain Services (AAD-DS) - as that is Active Directory as a service, which is automatically synced to an Azure AD that you configure when you set up AAD-DS.

     

    Note: Azure Active Directory (Azure AD) is not the same thing as Azure Active Directory Domain Services (https://azure.microsoft.com/en-us/services/active-directory-ds/).

     

    While it is possible to join Windows 10 machines directly to Azure AD, and there are many great reasons to do that rather than joining or hybrid-joining with an Active Directory domain (particularly in a modern management environment), it is not supported for Windows Virtual Desktop.  The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain.

     

    • Roger_Cox's avatar
      Roger_Cox
      Copper Contributor
      Apr 09, 2019

      Mike AmoxI have just started working with Azure AD and now WVD. The future plans are WVD for a large percentage of our users. Right now i can't get the WVD to connect to AD. We have a hybrid AD with AD connect, but I don't have a DC in Azure or AAD DS currently. From what I have been reading I will have to set one of those up for WVD to join the domain. Correct? Or an Azure VPN to on-prem network. Ultimate goal is 100% cloud in the near future.

      • Christian_Montoya's avatar
        Christian_Montoya
        Icon for Microsoft rankMicrosoft
        Apr 09, 2019

        Roger_Cox : That is correct, you will either need to create an instance of Azure AD Domain Services or create a VPN/ExpressRoute to the on-prem network.

         

        We have gotten similar feedback of being "100% cloud" and we have an item in our backlog to support Azure AD Join VMs.

    • aferinga's avatar
      aferinga
      Copper Contributor
      Apr 09, 2019

      Mike Amox I currently have on premise AD synced to Azure AD with AAD Connect so right now this will work. I am in the process of migrating all workstations to AAD with the goal of decommissioning AD. All device & application management will be via cloud management tools. While I appreciate I could setup AAD DS this still requires domain joined or hybrid join, not something I am after & get the impression others are the same.

       

      Do you know if Microsoft has on the road map to support AAD joined devices only for WVD? 

       

      Thanks. 

      • LA99-999_'s avatar
        LA99-999_
        Copper Contributor
        Oct 23, 2019

        aferinga 

        I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

        To deploy WVD do I also have to enable single sign-on and pass-trough authentication with AD Connect and having Domain services running in Azure?

         

    • Ron Howe's avatar
      Ron Howe
      Copper Contributor
      Mar 27, 2019
      So...

      "The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain."

      That means an on-premise Active Directory instance? Or can that be Azure Active Directory Domain Services?

      I guess I'll just have to try it out.
      • rpextech's avatar
        rpextech
        Copper Contributor
        Mar 28, 2019

        So i have on premise AD with AD connect syncing to Azure AD.  Then i created an Azure AD Domain instance and bound it to a VNET and then used that network to connect my Windows Virtual Desktop to and join that domain.  So its not joining azure AD directly but a fully synced Azure AD Domain services which is syncing with Azure AD.  So technically you arent joining Azure AD natively.

Resources