This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 27%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
I am separating/Isolating environments in Azure into resource groups, e.g., X_Test_RG, X_Prod_RG, etc..
Here is the architecture that I am using so far:
All the VMs within the resource group (in and outside DevTest lab) need to be connected to the domain in order for products to contact each others.
I managed to create one environment by using Azure Active Directory Domain Services (AD DS) and called the domain X.Dev.xxxx.onmicrosoft.com.
Thus, it is easy to add all machines to the domain, and it is simple to modify the group of users within the domain.
However, it seems that you can only create one AD DS per Azure AD.
What is the best suggestion to solve this kind of problem ?
It is important that VMs are connected to the same domain.
I think a solution will be to use a single global AD DS attached to its own RG and VNET.
Then for all other environments (i.e., resource groups), I add a VNet peering.
Logically, seems to be okay, but not sure yet as I didn't test it.
To manage user access, I will use RBAC on the resource group level.
Yes, networking peering should work and here is detailed guidance.
Hello @Anonymous ,
Thanks for reaching out.
No, creating multiple Azure Active Directory Domain services for single Azure AD tenant does not supported and Azure resource groups are used as logical group which provides a management layer that enables you to create, update, and delete resources in your Azure account but doesn't provides separating/Isolating between resources. Therefore, you may need to consider Compute isolation, Networking isolation and storage isolation in addition to user access controls with authentication and identity separation using Azure Active Directory and Role-Based Access Control (RBAC).
Here is detailed guidance for your reference: https://learn.microsoft.com/en-us/azure/azure-government/azure-secure-isolation-guidance
Hope this helps
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
You can try using traditional domain controller controller (ADDS) in azure and separate your respurces (not the manged Azure ADDS).
but you need to plan the network and resource segregation well to avoid any conflicts.