Hi Anant Bera,
For hybrid authentication in Azure Virtual Desktop, the domain names in on-premises Active Directory (AD) and Azure AD do not need to be identical but it's usually the recommended approach. However, the user accounts must be synchronized between the two environments using tools like Microsoft Entra Connect (formerly Azure AD Connect). This ensures that either the UserPrincipalName (UPN) or Security Identifier (SID) matches across both systems for seamless hybrid identity functionality.
UPN Suffix Must Be a Verified Domain in Azure AD
- If on-prem AD uses a non-routable domain (e.g.,
corp.local
), users' UPNs will sync to******@tenant.onmicrosoft.com
, which is not ideal for authentication. - Solution: Change the UPN suffix to a routable domain that is verified in Azure AD (e.g.,
fabrikam.com
). - If the on-prem AD domain is
corp.fabrikam.local
, but Azure AD hasfabrikam.com
, users must have a UPN like******@fabrikam.com
in on-prem AD to sync properly. - This prevents mismatched credentials and login issues.
https://learn.microsoft.com/en-us/azure/virtual-desktop/prerequisites?tabs=portal
If using Hybrid AD Join, AVD session hosts must be domain-joined to the on-premises Active Directory (AD). Azure AD DS is not a valid alternative for Hybrid AD Join. Azure AD DS is a managed domain service, but it does not support Hybrid AD Join.
Hybrid AD Join means devices are first joined to on-prem AD and then synchronized to Azure AD using Azure AD Connect.
AVD session hosts need direct communication with on-prem AD domain controllers to authenticate users and apply Group Policies.
Azure AD Connect does not sync devices from Azure AD DS—only from on-prem AD to Azure AD.https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/eslz-identity-and-access-management
Hope this helps!
Let me now if you have any further queries!