This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
I have an environment that has no on premises AD, but is using Exchange online for email and I see the email users in Azure active directory.
It seems that the best path would be to azure domain join computers to the existing azure active directory, then manage these devices via Microsoft Endpoint Manager and skip any on premise AD setup. (Or at least test this option to see if it meets there needs.)
I'm trying to understand the relationship between Exchange online and Azure active directory.
Is Azure active directory created automatically when Exchange online is setup for a tenant?
And then is Azure AD Domain Services created as well?
Thanks for your help.
If you setup up Exchange Online an Azure tenant with an Azure Active Directory (AAD) is created/deployed as well.
For Exchange Online an AAD is mandatory.
The Azure Active Directory Domain Services (AADDS) are not created automatically. The AADDS is not required for Exchange Online.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
No Azure AD is created. When Andreas Baumgarten talkes about "created", I believe he means configured. Azure AD is a shared resource, the backbone for Microsoft's three cloud platforms (Microsoft / Office 365; Azure and Dynamics 365). It's called Identity as a Service, your next-generation Active Directory.
The concept of tenant means that you rent a small part of Azure AD. What happens in the background is that your tenant, your small portion of Azure AD, is set up with strong isolated security. This architecture is called multi-tenancy. (Local AD is single-tenancy, at least for most of the time.) Such an approach is used by all cloud providers, Dropbox, Salesforce etc.
Azure AD does much of the same things as your local Windows AD DS. But it has no group policies. Make sure you sign up for a license with Intune and Azure AD Premium P1 for conditional access. Then you have Intune with MDM/MAM, in practical terms Configuration Manager for the cloud, combined with group policies for the cloud. Microsoft 365 Business Premium is a good and cost-effective choice.
You might wonder: Is the schema for Exchange Online extended in Azure AD? No. Exchange uses its own directory store: Exchange Online Directory Services (EXODS). Same thing for Skype and SharePoint. These stores communicate with Azure AD and use it for authentication and so on. Perhaps a bit over-simplified, but you'll get the idea.
You should definitely Azure AD-join your computers and have them enrolled in Microsoft Intune, part of Microsoft Endpoint Manager. Your IT-life will never be the same again.
You are right. Sorry for the wrong wording: "configured", "set up" or "deployed" might be a better wording in this context.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten