How to setup the Microsoft Entra Domain Services in Azure along with enabling LDAP so that users can login from LDAP enabled applications and can be authenticated using Azure ?

Question

How to setup the Microsoft Entra Domain Services in Azure along with enabling LDAP so that users can login from LDAP enabled applications and can be authenticated using Azure ?

Neelesh Srivastava 0

I am trying to setup the Microsoft Entra Domain Services. So that users can be authenticated from LDAP to use any third party service like git, etc. Below are the steps I followed:

Created the private virtual net
Created the Entra Domain Services in that domain
Created VM (Please let me know if it is not necessary for my requirement)

But I am unable to accomplish the above requirement.

Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-15T16:36:22.82+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others.
Neelesh Srivastava 0 Reputation points

2025-05-16T03:51:29.85+00:00
Hi Sakshi,

Thanks for response, but still I am not able to do the setup.

Untill step 4 , it is fine and setup is also understandable , and also have openend 636 for aads NSG but after that I have few query:

From where to enable the password hash for users.There is no option to enable it.

Will password hash only available after enabling LDAPS?

I don't want any VM setup. Will the services of LDAP (proper authentication) work fine without it, and how should I manage the user and group policies without VM, like password strength rule and etc.

FYI: I am using the Standard SKU
Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-16T17:42:23.9+00:00

Hello Neelesh Srivastava

1.From where to enable the password hash for users. There is no option to enable it? Password hash sync is not manually enabled per user. It is automatically handled by the type of user and how they are created: Enable password synchronization in Microsoft Entra Domain Services for hybrid environments

For cloud-only users (users created directly in Entra ID) Password hashes for NTLM and Kerberos are not initially available when AADS is provisioned. To generate them, users must reset their passwords after AADS is enabled.

Ask users to reset their password (via self-service or admin reset) this causes Entra ID to generate and store the password hashes required by AADS for LDAP/Kerberos authentication.

For hybrid users (synced from on-prem AD via Entra Connect) You must enable Password Hash Synchronization in the Entra Connect tool. This is configured in the Entra Connect setup wizard or modified later. https://learn.microsoft.com/en-us/entra/identity/domain-services/synchronization

In your case (cloud-only and no VM), you simply need to reset the users' passwords.

2.Will password hash only be available after enabling LDAPS? No, enabling LDAPS and password hash availability are independent. LDAPS (Secure LDAP) is for encrypted LDAP access (port 636). Password hash availability is required for LDAP/Kerberos authentication to work at all. So, enabling LDAPS doesn’t trigger password hash sync password reset is what triggers the necessary hash generation for cloud users.

3.I don't want any VM setup. Will the services of LDAP work fine without it? Yes, you do not need a VM for LDAP authentication to work.

However, you’ll need to ensure Third-party apps (like Git) can resolve the AADS domain name using the correct DNS.

Apps are either in the same VNet (and thus reach AADS directly over LDAP/LDAPS) or configured to connect to AADS securely via LDAPS over the public internet (port 636 must be open, and cert must be valid). If no VM is used, you’ll manage and test everything externally makes sure apps have Access to the correct DNS to resolve AADS, The right bind DN (usually CN=UserName,CN=Users,DC=yourdomain,DC=com), Secure connection (LDAPS)

4.How should I manage the user and group policies without VM, like password strength rule and etc.? This is a key difference between AADS and traditional Active Directory AADS is a managed domain. You cannot install Group Policy Management tools or directly modify GPOs unless you use a domain-joined VM. Since you don’t want to use a VM, your options are:

User & Password Policies: Password policies for cloud users are managed via Microsoft Entra ID password policies, not GPOs.

Go to: Microsoft Entra Admin Center → Protection → Authentication methods or Password policies--> Configure things like- Password complexity, Lockout thresholds, Expiration.

Group Management--> Manage groups directly in Microsoft Entra ID (via the portal), Static or dynamic groups, Assign users to groups

https://learn.microsoft.com/en-us/entra/identity/domain-services/secure-your-domain
https://learn.microsoft.com/en-us/entra/identity/domain-services/tshoot-ldaps
https://learn.microsoft.com/en-us/entra/identity/domain-services/alert-ldaps
Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-20T09:31:50.1066667+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have any concerns.
Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-21T08:45:54.76+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have any concerns.

1 answer

Your answer

Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-15T16:36:22.82+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others.
Neelesh Srivastava 0 Reputation points

2025-05-16T03:51:29.85+00:00

Hi Sakshi,

Thanks for response, but still I am not able to do the setup.

Untill step 4 , it is fine and setup is also understandable , and also have openend 636 for aads NSG but after that I have few query:

From where to enable the password hash for users.There is no option to enable it.

Will password hash only available after enabling LDAPS?

I don't want any VM setup. Will the services of LDAP (proper authentication) work fine without it, and how should I manage the user and group policies without VM, like password strength rule and etc.

FYI: I am using the Standard SKU
Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-20T09:31:50.1066667+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have any concerns.
Sakshi Devkante 4,400 Reputation points Microsoft External Staff Moderator

2025-05-21T08:45:54.76+00:00

Hello Neelesh Srivastava,

We haven’t heard from you on the last response and was just checking back to see if you have any concerns.

Answer 1

Hello Neelesh Srivastava

Setting up Microsoft Entra Domain Services to allow LDAP authentication for third-party applications (like Git, Jenkins, etc.) is possible.

1.Microsoft Entra Domain Services provides LDAP, Kerberos, and NTLM protocols by replicating Entra ID users into a managed domain. You cannot directly use Entra ID for LDAP only AADS supports LDAP. Users must be Entra ID users and either: Cloud-only users, or Synced via Entra Connect from on-prem AD.

2.Entra Domain Services must be deployed to a VNet, as it operates within a subnet in that VNet. ensure DNS is properly configured to use the AADS domain controllers (DNS settings in the VNet must point to the AADS IP addresses)

3.As you mentioned ADDS has already been deployed AADS domain controllers are provisioned in the subnet, DNS for the VNet is automatically updated with AADS IP addresses, or manually set to those IPs

4.By default, LDAP is only available within the VNet and not encrypted.

To allow external apps to authenticate over LDAP, you must enable Secure LDAP (LDAPS).

Steps:

Go to your Microsoft Entra Domain Services resource

Under Settings → Secure LDAP, enable it.

Provide a public certificate (e.g., from DigiCert, Let's Encrypt) or create one via Azure Key Vault.

Enable Allow secure LDAP access over the internet (if your app is outside the VNet).

Save the configuration. [Microsoft recommends using LDAPS only (not plain LDAP), as plain LDAP is not secure]

Port 636 must be open in the network security group (NSG) for this to function.

5.Users must have password hashes available to support LDAP/Kerberos.

For cloud-only users, this means: Users must reset their password after AADS is provisioned

For hybrid environments: Entra Connect must have password hash sync enabled

6.While a VM is not required for LDAP to function, it can help with testing (e.g., using ldp.exe or ldapsearch).

Applications connecting via LDAP must-- Be in the same VNet, or Have DNS configured to resolve the AADS domain, or Connect externally using Secure LDAP (if enabled).

Refer documents:
What is Microsoft Entra Domain Services?
Configure secure LDAP for a Microsoft Entra Domain Services managed domain
LDAP synchronization with Microsoft Entra ID
LDAP authentication with Microsoft Entra ID
Secure LDAP alerts in Microsoft Entra Domain Services

I hope this clarifies things.

Share via

How to setup the Microsoft Entra Domain Services in Azure along with enabling LDAP so that users can login from LDAP enabled applications and can be authenticated using Azure ?

1 answer

Your answer