Is it possible to create an active directoy domain per resource group ? or alternative solution?

MADHUN Ahmed 241 Reputation points
2021-09-23T08:32:29.087+00:00

I am separating/Isolating environments in Azure into resource groups, e.g., X_Test_RG, X_Prod_RG, etc..

Here is the architecture that I am using so far:

134524-2021-09-23-10h22-49.png

All the VMs within the resource group (in and outside DevTest lab) need to be connected to the domain in order for products to contact each others.

I managed to create one environment by using Azure Active Directory Domain Services (AD DS) and called the domain X.Dev.xxxx.onmicrosoft.com.
Thus, it is easy to add all machines to the domain, and it is simple to modify the group of users within the domain.

However, it seems that you can only create one AD DS per Azure AD.
What is the best suggestion to solve this kind of problem ?
It is important that VMs are connected to the same domain.

Azure DevTest Labs
Azure DevTest Labs
An Azure service that is used for provisioning development and test environments.
263 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,607 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. MADHUN Ahmed 241 Reputation points
    2021-09-28T12:39:02.963+00:00

    I think a solution will be to use a single global AD DS attached to its own RG and VNET.
    Then for all other environments (i.e., resource groups), I add a VNet peering.

    Logically, seems to be okay, but not sure yet as I didn't test it.
    To manage user access, I will use RBAC on the resource group level.

    1 person found this answer helpful.

  2. Siva-kumar-selvaraj 15,601 Reputation points
    2021-09-28T07:28:30.857+00:00

    Hello @MADHUN Ahmed ,

    Thanks for reaching out.

    No, creating multiple Azure Active Directory Domain services for single Azure AD tenant does not supported and Azure resource groups are used as logical group which provides a management layer that enables you to create, update, and delete resources in your Azure account but doesn't provides separating/Isolating between resources. Therefore, you may need to consider Compute isolation, Networking isolation and storage isolation in addition to user access controls with authentication and identity separation using Azure Active Directory and Role-Based Access Control (RBAC).

    Here is detailed guidance for your reference: https://learn.microsoft.com/en-us/azure/azure-government/azure-secure-isolation-guidance

    Hope this helps

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. Devaraj G 2,091 Reputation points
    2021-09-28T11:05:52.633+00:00

    You can try using traditional domain controller controller (ADDS) in azure and separate your respurces (not the manged Azure ADDS).

    but you need to plan the network and resource segregation well to avoid any conflicts.

    0 comments No comments