Multiple forests with AD DS, Azure AD, and Azure AD DS

Azure Active Directory
Active Directory Domain Services
Azure Virtual Desktop

Solution ideas

This article is a solution idea. If you'd like us to expand the content with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know by providing GitHub feedback.

This solution idea illustrates how to deploy Azure Virtual Desktop rapidly in a minimum viable product (MVP) or a proof of concept (PoC) environment with the use of Azure Active Directory Domain Services (Azure AD DS). Use this idea to both extend on-premises multi-forest AD DS identities to Azure without private connectivity and support legacy authentication.

Potential use cases

This solution idea also applies to mergers and acquisitions, organization rebranding, and multiple on-premises identities requirements.


Diagram of Azure Virtual Desktop with Azure AD Domain Services.

Download a Visio file of this architecture.


The following steps show how the data flows in this architecture in the form of identity.

  1. Complex hybrid on-premises Active Directory environments are present, with two or more Active Directory forests. Domains live in separate forests, with distinct User Principal Name (UPN) suffixes. For example, CompanyA.local with UPN suffix, CompanyB.local with UPN suffix, and an additional UPN suffix,
  2. Instead of using customer-managed domain controllers, either on-premises or on Azure (that is, Azure infrastructure as a service [IaaS] domain controllers), the environment uses the two cloud-managed domain controllers provided by Azure AD DS.
  3. Azure Active Directory (Azure AD) Connect syncs users from both and to the Azure AD tenant, The user account is represented only once in Azure AD, and private connectivity isn't used.
  4. Users then sync from Azure AD to the managed Azure AD DS as a one-way sync.
  5. A custom and routable Azure AD DS domain name,, is created. The domain is a registered domain that supports LDAP certificates. We generally recommend that you not use non-routable domain names, such as contoso.local, because it can cause issues with DNS resolution.
  6. The Azure Virtual Desktop session hosts join the Azure AD DS domain controllers.
  7. Host pools and app groups can be created in a separate subscription and spoke virtual network.
  8. Users are assigned to the app groups.
  9. Users sign in by using either the Azure Virtual Desktop application or the web client, with a UPN in a format such as,, or, depending on their configured UPN suffix.
  10. Users are presented with their respective virtual desktops or apps. For example, is presented with virtual desktops or apps in host pool A, jane@companyB is presented with virtual desktops or apps in host pool B, and joe@newcompanyAB is presented with virtual desktops or apps in host pool AB.
  11. The storage account (Azure Files is used for FSLogix) is joined to the managed domain AD DS. The FSLogix user profiles are created in Azure Files shares.


  • For Group Policy requirements in Azure AD DS, you can install Group Policy Management tools on a Windows Server virtual machine that's joined to Azure AD DS.
  • To extend Group Policy infrastructure for Azure Virtual Desktop from the on-premises domain controllers, you need to manually export and import it to Azure AD DS.


You implement this architecture by using the following technologies:


This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

  • Tom Maher | Senior Security and Identity Engineer

Next steps