![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 33%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
25,080 questions
Hello @Marouf Ali
Thank you for sharing your issue on Microsoft Q&A.
I understand you want clarification on Microsoft Domain Services.
Your understanding of "managed domain" and Microsoft Entra Domain Services (MEDS) is mostly on point, but let me refine it for clarity:
What is a Managed Domain?
A managed domain in the context of Microsoft Entra Domain Services refers to a fully managed version of a traditional Active Directory domain that is provided as a service in Azure. This domain is integrated with Microsoft Entra ID (formerly Azure AD).
It provides familiar Active Directory domain features like domain join, LDAP, Group Policy, Kerberos, and NTLM authentication. However, unlike on-premises AD domains, you don’t manage the Domain Controllers (DCs) directly; Microsoft does that for you.
Key Features of Microsoft Entra Domain Services:
- Virtual Domain/Domain-Like Instance:
- It functions as a "domain-like" service in Azure. While not exactly equivalent to a traditional on-prem AD domain, it provides the infrastructure required for legacy and hybrid apps that depend on classic AD protocols.
- It is tightly integrated with a virtual network (VNet), meaning that resources within this VNet (or peered VNets) can leverage the managed domain.
- Purpose for Legacy Applications:
- Primary Use Case: MEDS is mostly used for legacy apps that rely on AD protocols (like LDAP or NTLM/Kerberos) and can’t be modernized to use Microsoft Entra ID directly.
- Apps that require domain-joined VMs or group policy support can also utilize MEDS.
- Management and Functionality:
- Fully Managed by Microsoft: Microsoft handles replication, updates, patching, and high availability of the domain controllers. You don’t have administrative access to the DCs.
- Limited Admin Functionality: Compared to on-premises AD or a self-managed AD domain in Azure, MEDS has restricted functionality:
- No schema extensions.
- No direct DC management.
- Limited Group Policy Configuration.
- Integration with VNet:
- A managed domain is deployed into an Azure VNet. Resources in the same VNet or peering VNets can interact with the managed domain, such as joining VMs to the domain or using LDAP for authentication.
What a Managed Domain is NOT:
It’s not an instance of Microsoft Entra ID:
- While closely integrated with Microsoft Entra ID, MEDS is distinct. Microsoft Entra ID serves as the identity management platform and synchronizes user accounts and group data with the managed domain. However, it doesn't directly provide the "domain" functionalities that MEDS offers.
It’s not a replacement for full-fledged AD:
- MEDS is a complement to Microsoft Entra ID to support legacy workloads. It doesn't aim to replace the full capabilities of a traditional Active Directory domain, especially if you need features like fine-grained administrative control, schema modifications, or custom domain controllers.
Summary of Your Statements:
"A virtual domain or instance of Microsoft Entra ID?":
- MEDS is not an instance of Microsoft Entra ID. It is a managed version of an Active Directory domain, deployed on Azure infrastructure and integrated with Microsoft Entra ID.
"Resources grouped and managed by Azure using VNet?":
- Correct. MEDS is deployed into and managed within an Azure VNet. "Mostly for legacy apps and doesn't have much functionality?":
- Correct to an extent. While MEDS is primarily for legacy apps, it offers specific functionality (like domain join, LDAP, Kerberos) for scenarios where Microsoft Entra ID alone isn't sufficient. However, its capabilities are indeed limited compared to a traditional AD domain.
Let me know if you'd like more clarification!
Siri