Users connecting to DC in Azure VM without access to S2S VPN

Question

Hello...

I'm trying to understand or get an advise on how to deal with the scenario below:

• DC is running on VM in Azure
• AD is syncing to AAD using Azure AD Connect
• a S2S VPN is created from main office to Azure
• remote users connects via remote VPN to office FW and from there via S2S VPN they reach DC

All is working fine when in office... The problem is for a remote users (remote office). Got in the situations that a user changed a password and forgot it... or spare laptop (after an employer that left) was going to be used for another user. Both scenarios the laptop/user needs to be connected to a VPN as a 1st so that they can reach DC in Azure.... However, because those users did not know credentials, they were not able to connect to VPN so that they could get synced with DC.

What is the best way to approach this situations please? How should I deal with it? ... Is there a way that win credentials will be taken directly from AAD and do not need to go through AD?

Answer 1

Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query

If you have users connecting to a Domain Controller (DC) in an Azure virtual machine (VM) without access to a Site-to-Site (S2S) VPN, you can enable the Remote Desktop Protocol (RDP) on the VM and use a secure RDP connection to access the DC. You can also use the Azure Bastion service, which provides secure and seamless RDP and SSH access to VMs in the virtual network from the Azure portal. Additionally, you can use Azure Active Directory (Azure AD) or Windows Server Active Directory Federated Services (ADFS) for authentication and authorization for users connecting to the DC.

If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

Answer 2

Double post

Answer 3

Hi... thanks for trying to help....

not sure if I explained my scenario properly -> I do not need users to RDP to the DC.... I need them to reach AD on that DC to sync password, for example, when they forget it and I reset the password in AD. Because they can reach DC (AD) only when connected to remote SSL, it is quite useless for those situations as they cannot login to windows (if forgot passwords) to run SSL client to get the "reset" password synced to their machine...