How can use Entra Domain Services and Intune

Question

How can use Entra Domain Services and Intune

Greg Bonk 86

I want to be able to automatically mount an Azure Storage Account file share over SMB. This is with windows 10 images that I'm building.

The way I know how to do it is to use a Domain Service, which I'm attempting with Entra Domain Services.

My Storage account is connected to for File shares has Microsoft Entra Domain Services enabled.

I am also Domain Joining my VM ( to Microsoft Entra Domain Services as well ) when I create it.

This combination works great. I Remote Desktop in, and the mappings for the azure file shares can connect automatically without any interaction by me.

BUT..... I am also trying to use Microsoft Intune so I can apply the multi app Kiosk mode. To use intune, I have to have my devices register in Microsoft Entra ID, which means I can't connect to use the Entra Domain Services.

If I register my VMs with Entra Domain Services, then Intune can not see my devices because they are not AAD Joined.

I'm hoping to get the best of both worlds here. The Entra Domain Services authentication integration AND device registration and using Intune to apply the multi-app Kiosk mode.

I've been looking at 'Device Writeback' options like "Entra Sync' and 'cloud sync' but they seem to have limited ability or be primarily for on premise active directory.

My Preference is how do I AUTOMATICALLY register a domain joined VM into Entra ID?

Alternatively, can I have a powershell script run in the background when a user logs in to an Entra ID (AAD) joined device and be able to auto mount the remote shares WITHOUT any user interaction?

Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-09T11:33:23.51+00:00

Hello Greg Bonk,

Thank you for posting your query here!

Devices joined to AAD-DS cannot be managed via Intune as there is no hybrid identity.

I know this is a different solution but alluded to here for AVD: https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session

If you're joining session hosts to Azure Active Directory Domain Services, you can't manage them using Intune.

We use AAD-DS for other purposes e.g. LDAP and for managing Windows servers in Azure. You need to either migrate to AAD only or hybrid identity via AAD connect.

Please let us know if you have any further queries. I’m happy to assist you further.
Greg Bonk 86 Reputation points

2024-01-09T13:38:50.08+00:00

I wanted to use AAD Connect but we are 100% cloud and azure. We don’t have an on-premise AD available. I’m not keen on hosting my own either in Azure.

This is frustrating because creating a Hybrid join i believe is ‘theoretically’ possible for users of AADDS but AAD sync and cloud sync don’t support AADDS.

Could I implement my own device write back with PowerShell, system identifies, and Microsoft Graph ?

Azure’s documentation about AADDS suggests its use is primarily for “legacy apps that don’t support modern authentication”

If AADDS is just a stopgap for legacy then why would Azure rely on it for share level permissions ?

Now the question that I have is, How do I setup and connect to an Azure Storage Account Fileshare and be able to use folder level access control with Entra Id only?
Greg Bonk 86 Reputation points

2024-01-09T13:49:31.2166667+00:00

Reviewing “Comparison between Microsoft Entra Connect and cloud sync”

the table says that Entra Connect does say “Microsoft Entra Domain Services support” but I don’t understand what that means. How can I do device writeback with only AADDS?

Cloud sync, in the column for Device Writeback says “Customers should use Cloud Kerberos trust for this moving forward”. Is this a possibility? I read the Cloud Kerberos Trust link but it’s way over my head.
Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-12T12:32:47.93+00:00

Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods: > - On-premises Active Directory Domain Services (AD DS) > - Azure Active Directory Domain Services (Azure AD DS) > - Azure Active Directory (Azure AD) Kerberos for hybrid user identities.

Additional references:

Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB | Microsoft Learn

https://learn.microsoft.com/en-ca/azure/storage/files/storage-files-active-directory-overview#ad-ds

Also, as per the following article: https://learn.microsoft.com/en-us/entra/identity/domain-services/synchronization#objects-that-are-not-synchronized-to-your-azure-ad-tenant-from-your-managed-domain

‘No synchronization occurs from Domain Services back to Microsoft Entra ID.’
Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-15T12:44:19.98+00:00

Just checking in to see if the above answer helped. And, if you have any further query do let us know.

1 answer

Your answer

Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-09T11:33:23.51+00:00

Hello Greg Bonk,

Thank you for posting your query here!

Devices joined to AAD-DS cannot be managed via Intune as there is no hybrid identity.

I know this is a different solution but alluded to here for AVD: https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop-multi-session

If you're joining session hosts to Azure Active Directory Domain Services, you can't manage them using Intune.

We use AAD-DS for other purposes e.g. LDAP and for managing Windows servers in Azure. You need to either migrate to AAD only or hybrid identity via AAD connect.

Please let us know if you have any further queries. I’m happy to assist you further.
Greg Bonk 86 Reputation points

2024-01-09T13:38:50.08+00:00

I wanted to use AAD Connect but we are 100% cloud and azure. We don’t have an on-premise AD available. I’m not keen on hosting my own either in Azure.

This is frustrating because creating a Hybrid join i believe is ‘theoretically’ possible for users of AADDS but AAD sync and cloud sync don’t support AADDS.

Could I implement my own device write back with PowerShell, system identifies, and Microsoft Graph ?

Azure’s documentation about AADDS suggests its use is primarily for “legacy apps that don’t support modern authentication”

If AADDS is just a stopgap for legacy then why would Azure rely on it for share level permissions ?

Now the question that I have is, How do I setup and connect to an Azure Storage Account Fileshare and be able to use folder level access control with Entra Id only?
Greg Bonk 86 Reputation points

2024-01-09T13:49:31.2166667+00:00

Reviewing “Comparison between Microsoft Entra Connect and cloud sync”

the table says that Entra Connect does say “Microsoft Entra Domain Services support” but I don’t understand what that means. How can I do device writeback with only AADDS?

Cloud sync, in the column for Device Writeback says “Customers should use Cloud Kerberos trust for this moving forward”. Is this a possibility? I read the Cloud Kerberos Trust link but it’s way over my head.
Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-12T12:32:47.93+00:00

Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods: > - On-premises Active Directory Domain Services (AD DS) > - Azure Active Directory Domain Services (Azure AD DS) > - Azure Active Directory (Azure AD) Kerberos for hybrid user identities.

Additional references:

Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB | Microsoft Learn

https://learn.microsoft.com/en-ca/azure/storage/files/storage-files-active-directory-overview#ad-ds

Also, as per the following article: https://learn.microsoft.com/en-us/entra/identity/domain-services/synchronization#objects-that-are-not-synchronized-to-your-azure-ad-tenant-from-your-managed-domain

‘No synchronization occurs from Domain Services back to Microsoft Entra ID.’
Anand Prakash Yadav 7,855 Reputation points Microsoft External Staff

2024-01-15T12:44:19.98+00:00

Just checking in to see if the above answer helped. And, if you have any further query do let us know.

Answer 1

@Greg Bonk, Thanks for posting in Q&A. From your description, it seems you want to enroll Windows 10 virtual machine into Intune. In General, Intune supports managing virtual machines running Windows 10 Enterprise with certain limitations. For example, it is not recommended to use Intune to manage on-demand, session-host virtual machines and etc. Here are some links for your reference.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/windows-10-virtual-machines

https://learn.microsoft.com/en-us/mem/intune/fundamentals/azure-virtual-desktop

You can check if your virtual machine belongs to the above situations.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

How can use Entra Domain Services and Intune

1 answer

Your answer