Domain Service Account in Azure?

Matt Barron 66 Reputation points
2022-03-28T17:49:25.07+00:00

I have an API running in IIS on an Azure VM on a virtual network that is accessed via Azure VPN. This API accesses a database, also hosted on an Azure VM (SQL Server on Azure Virtual Machines). Both machines are attached to an Azure Active Directory Domain Services instance.

If I was running this account on-premises I'd create a service account in Active Directory, and run the API using that account (in the Application Pool in IIS), and then give the service account the appropriate access to the database.

Is there any way to achieve this using Azure Active Directory Domain Services?

Many thanks in advance!

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,450 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,666 Reputation points
    2022-04-01T05:25:06.34+00:00

    Hello @Matt Barron ,

    Thanks for reaching out.

    From your query, I understand that you have IIS based application running on Azure VM which joined to Azure Active Directory Domain Services instance hence wanted to know if service account can be used to run services.

    Azure AD DS lets you continue to use service accounts in the same way. You can choose to use the same service account that is synchronized from your on-premises directory to Azure AD or create a custom OU and then create a separate service account in that OU. With either approach, applications continue to function the same way to make authenticated calls to other tiers and services.

    As managed domains are locked down and managed by Microsoft, there are some considerations when using service accounts:

    • Create service accounts in custom organizational units (OU) on the managed domain or same service account that is synchronized from your on-premises directory to Azure AD.
    • You can't create a service account in the built-in AADDC Users or AADDC Computers OUs.
    • Instead, create a custom OU in the managed domain and then create service accounts in that custom OU.

    To learn more about, refer following links:
    Migrate an on-premises service or daemon application to Azure: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/scenarios#migrate-an-on-premises-service-or-daemon-application-to-azure

    Using service accounts in Azure AD DS: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/create-gmsa#using-service-accounts-in-azure-ad-ds

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Johan Ponten [Avian] 0 Reputation points
    2023-06-16T08:47:12.32+00:00

    Thank you very much for these directions on how to work with Service domain accounts. Have been struggeling for a long time to find any information on the topic that does not only talk about Managed identities and Service Principals. Believe is what I have been looking for.
    Will give feedback here with our results when done!

    \Johan

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.