This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.
This solution idea illustrates how to deploy Azure Virtual Desktop rapidly in a minimum viable product (MVP) or a proof of concept (PoC) environment with the use of Azure Active Directory Domain Services (Azure AD DS). Use this idea to both extend on-premises multi-forest AD DS identities to Azure without private connectivity and support legacy authentication.
Potential use cases
This solution idea also applies to mergers and acquisitions, organization rebranding, and multiple on-premises identities requirements.
Download a Visio file of this architecture.
The following steps show how the data flows in this architecture in the form of identity.
- Complex hybrid on-premises Active Directory environments are present, with two or more Active Directory forests. Domains live in separate forests, with distinct User Principal Name (UPN) suffixes. For example, CompanyA.local with UPN suffix CompanyA.com, CompanyB.local with UPN suffix CompanyB.com, and an additional UPN suffix, newcompanyAB.com.
- Instead of using customer-managed domain controllers, either on-premises or on Azure (that is, Azure infrastructure as a service [IaaS] domain controllers), the environment uses the two cloud-managed domain controllers provided by Azure AD DS.
- Azure Active Directory (Azure AD) Connect syncs users from both CompanyA.com and CompanyB.com to the Azure AD tenant, newcompanyAB.onmicrosoft.com. The user account is represented only once in Azure AD, and private connectivity isn't used.
- Users then sync from Azure AD to the managed Azure AD DS as a one-way sync.
- A custom and routable Azure AD DS domain name, aadds.newcompanyAB.com, is created. The newcompanyAB.com domain is a registered domain that supports LDAP certificates. We generally recommend that you not use non-routable domain names, such as contoso.local, because it can cause issues with DNS resolution.
- The Azure Virtual Desktop session hosts join the Azure AD DS domain controllers.
- Host pools and app groups can be created in a separate subscription and spoke virtual network.
- Users are assigned to the app groups.
- Users sign in by using either the Azure Virtual Desktop application or the web client, with a UPN in a format such as john@companyA.com, jane@companyB.com, or joe@newcompanyAB.com, depending on their configured UPN suffix.
- Users are presented with their respective virtual desktops or apps. For example, john@companyA.com is presented with virtual desktops or apps in host pool A, jane@companyB is presented with virtual desktops or apps in host pool B, and joe@newcompanyAB is presented with virtual desktops or apps in host pool AB.
- The storage account (Azure Files is used for FSLogix) is joined to the managed domain AD DS. The FSLogix user profiles are created in Azure Files shares.
- For Group Policy requirements in Azure AD DS, you can install Group Policy Management tools on a Windows Server virtual machine that's joined to Azure AD DS.
- To extend Group Policy infrastructure for Azure Virtual Desktop from the on-premises domain controllers, you need to manually export and import it to Azure AD DS.
You implement this architecture by using the following technologies:
- Azure Active Directory
- Azure Active Directory Domain Services
- Azure Files
- Azure Virtual Desktop
- Azure Virtual Network
This article is maintained by Microsoft. It was originally written by the following contributors.
- Tom Maher | Senior Security and Identity Engineer
- Multiple Active Directory forests architecture with Azure Virtual Desktop
- Azure Virtual Desktop for enterprises
- Azure AD Connect topologies
- Compare different identity options
- Azure Virtual Desktop documentation