Does AVD Require the Same Domain as On-Prem and Azure AD?

Anant Bera 251 Reputation points
2025-04-02T12:17:48.82+00:00

Hi experts

I’m setting up Azure Virtual Desktop (AVD) with an on-premises Active Directory (AD) environment and want to confirm domain requirements.

  • Does AVD require the same domain name across on-prem AD and Azure AD for hybrid authentication?
  • If using Hybrid AD Join, do AVD session hosts need to be domain-joined to the on-prem AD, or is Azure AD DS a valid alternative?

Thanks

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,846 questions
{count} votes

Accepted answer
  1. Mounika Reddy Anumandla 6,925 Reputation points Microsoft External Staff Moderator
    2025-04-02T13:13:23.0633333+00:00

    Hi Anant Bera,

    For hybrid authentication in Azure Virtual Desktop, the domain names in on-premises Active Directory (AD) and Azure AD do not need to be identical but it's usually the recommended approach. However, the user accounts must be synchronized between the two environments using tools like Microsoft Entra Connect (formerly Azure AD Connect). This ensures that either the UserPrincipalName (UPN) or Security Identifier (SID) matches across both systems for seamless hybrid identity functionality.

    UPN Suffix Must Be a Verified Domain in Azure AD

    • If on-prem AD uses a non-routable domain (e.g., corp.local), users' UPNs will sync to ******@tenant.onmicrosoft.com, which is not ideal for authentication.
    • Solution: Change the UPN suffix to a routable domain that is verified in Azure AD (e.g., fabrikam.com).
    • If the on-prem AD domain is corp.fabrikam.local, but Azure AD has fabrikam.com, users must have a UPN like ******@fabrikam.com in on-prem AD to sync properly.
    • This prevents mismatched credentials and login issues.

    https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal

    If using Hybrid AD Join, AVD session hosts must be domain-joined to the on-premises Active Directory (AD). Azure AD DS is not a valid alternative for Hybrid AD Join. Azure AD DS is a managed domain service, but it does not support Hybrid AD Join.

    Hybrid AD Join means devices are first joined to on-prem AD and then synchronized to Azure AD using Azure AD Connect.

    AVD session hosts need direct communication with on-prem AD domain controllers to authenticate users and apply Group Policies.

    Azure AD Connect does not sync devices from Azure AD DS—only from on-prem AD to Azure AD.https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/eslz-identity-and-access-management

    Hope this helps!

    Let me now if you have any further queries!

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.