Moving legacy apps from AD DS to Entra DS

Question

Hi, we have hybrid environment with 700-ish Hybrid Entra Joined Windows 11 devices and 80-ish servers joined to on-premises AD DS domain. Idea is to get rid of on-premises domain and all on-premises servers altogether but there are some legacy apps that still use "on-premises" protocols. Having decommissioned on-premises domain, our Windows 11 devices would be Entra Joined only and servers running these legacy apps would be replaced by servers (Azure VMs) joined to new Entra DS managed domain. Windows 11 devices would be now managed by Intune only (currently we have MCM-Intune co-management) whereas servers would be now managed by Azure tools in combination with some features provided by Entra DS such as GPOs.

In this scenario, to continue using those legacy apps (now hosted on servers in Azure) from Entra Joined Windows 11 devices (SSO using Entra user account) what would be all configuration steps we would need to perform (I have no practical experience with Entra DS whatsoever hence this question)? Practically, the same end user experience as they have now is something I am interested in. I do not have insight into those legacy applications details though.

Answer 1

Unfortunately, AFAIK, this wouldn't work. Entra DS does not support hybrid join, nor does it establish trust relationships with Entra ID. This causes a fundamental limitation in seamless authentication between Entra ID joined clients and Entra DS joined servers. Effectively, Entra ID joined Windows 11 devices cannot perform Kerberos authentication against Entra Domain Services (Entra DS) - because Entra DS does not trust Entra ID joined devices, and no machine accounts exist in Entra DS for those clients.

Btw. these limitations go away if you use AD DS running on Azure VMs - rather than Entra DS - which would also allow you to eliminate your on-premises environment.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

I was thinking the same way just wanted confirmation - syncing users from Entra ID to Entra DS is one thing but device part of the whole picture is something else which in this case is a showstopper.

Speaking of replacing on-premises DCs with DCs in Azure, that is on the cards as well, unfortunately total cost could be deciding factor here, and it seems that deploying Entra DS managed domain (single replica set) is cheaper but with many technical limitations if we want to completely decommission AD DS on-premises. People "pushing" Entra DS option should be aware of all limitations not thinking only about total cost.

Answer 3

Whatever works currently in your on-premises environment, should work the same way if you opt for using AD DS on Azure VMs from the authentication/authorization standpoint (obviously there are other considerations - such as support for broadcasts/multicast - but those go beyond what's discussed here).

The primary consideration is whether your management is willing to accept increased management overhead associated with using AD DS in Azure IaaS (vs Entra DS). However, note that this still is considerably lower comparing with maintaining AD DS on-premises.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin