az ad ds
Note
This reference is part of the ad extension for the Azure CLI (version 2.15.0 or higher). The extension will automatically install the first time you run an az ad ds command. Learn more about extensions.
Manage domain service with azure active directory.
Commands
| az ad ds create |
Create a new domain service with the specified parameters. |
| az ad ds delete |
The Delete Domain Service operation deletes an existing Domain Service. |
| az ad ds list |
List domain services in resource group or in subscription. |
| az ad ds show |
Get the specified domain service. |
| az ad ds update |
Update the existing deployment properties for domain service. |
| az ad ds wait |
Place the CLI in a waiting state until a condition of the ad ds is met. |
az ad ds create
Create a new domain service with the specified parameters.
az ad ds create --domain
--name
--replica-sets
--resource-group
[--domain-config-type {FullySynced, ResourceTrusting}]
[--external-access {Disabled, Enabled}]
[--filtered-sync {Disabled, Enabled}]
[--ldaps {Disabled, Enabled}]
[--no-wait]
[--notify-dc-admins {Disabled, Enabled}]
[--notify-global-admins {Disabled, Enabled}]
[--notify-others]
[--ntlm-v1 {Disabled, Enabled}]
[--pfx-cert]
[--pfx-cert-pwd]
[--resource-forest {Disabled, Enabled}]
[--settings]
[--sku {Enterprise, Premium, Standard}]
[--sync-kerberos-pwd {Disabled, Enabled}]
[--sync-ntlm-pwd {Disabled, Enabled}]
[--sync-on-prem-pwd {Disabled, Enabled}]
[--tags]
[--tls-v1 {Disabled, Enabled}]Examples
Create Domain Service
az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"Create Domain Service with specified settings (Line breaks for legibility only)
az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"
--ntlm-v1 "Enabled" --sync-ntlm-pwd "Enabled" --tls-v1 "Disabled" --filtered-sync "Enabled" --external-access "Enabled"
--ldaps "Enabled" --pfx-cert "cert or path to cert" --pfx-cert-pwd "<pfxCertificatePassword>"
--notify-others "a@gmail.com" "b@gmail.com" --notify-dc-admins "Enabled" --notify-global-admins "Enabled"Required Parameters
The name of the Azure domain that the user would like to deploy Domain Services to.
The name of the domain service.
List of ReplicaSets.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
Domain Configuration Type.
A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.
Enabled or Disabled flag to turn on Group-based filtered sync.
A flag to determine whether or not Secure LDAP is enabled or disabled.
Do not wait for the long-running operation to finish.
Should domain controller admins be notified.
Should global admins be notified.
The list of additional recipients.
A flag to determine whether or not NtlmV1 is enabled or disabled.
The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.
The password to decrypt the provided Secure LDAP certificate pfx file.
Resource Forest.
List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.
Sku Type.
A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.
A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.
A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
A flag to determine whether or not TlsV1 is enabled or disabled.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad ds delete
The Delete Domain Service operation deletes an existing Domain Service.
az ad ds delete --name
--resource-group
[--no-wait]
[--yes]Examples
Delete Domain Service
az ad ds delete --name "TestDomainService.com" --resource-group "TestResourceGroup"Required Parameters
The name of the domain service.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
Do not wait for the long-running operation to finish.
Do not prompt for confirmation.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad ds list
List domain services in resource group or in subscription.
az ad ds list [--resource-group]Examples
List Domain Service By Group
az ad ds list --resource-group "TestResourceGroup"List Domain Service By Sub
az ad ds listOptional Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad ds show
Get the specified domain service.
az ad ds show --name
--resource-groupExamples
Get Domain Service
az ad ds show --name "TestDomainService.com" --resource-group "TestResourceGroup"Required Parameters
The name of the domain service.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad ds update
Update the existing deployment properties for domain service.
az ad ds update --name
--resource-group
[--domain-config-type {FullySynced, ResourceTrusting}]
[--external-access {Disabled, Enabled}]
[--filtered-sync {Disabled, Enabled}]
[--ldaps {Disabled, Enabled}]
[--no-wait]
[--notify-dc-admins {Disabled, Enabled}]
[--notify-global-admins {Disabled, Enabled}]
[--notify-others]
[--ntlm-v1 {Disabled, Enabled}]
[--pfx-cert]
[--pfx-cert-pwd]
[--replica-sets]
[--resource-forest {Disabled, Enabled}]
[--settings]
[--sku {Enterprise, Premium, Standard}]
[--sync-kerberos-pwd {Disabled, Enabled}]
[--sync-ntlm-pwd {Disabled, Enabled}]
[--sync-on-prem-pwd {Disabled, Enabled}]
[--tags]
[--tls-v1 {Disabled, Enabled}]Examples
Update sku
az ad ds update --name "TestDS.com" --resource-group "rg" --sku "Enterprise"Update domain security settings
az ad ds update --name "TestDS.com" --resource-group "rg" --ntlm-v1 "Enabled" --tls-v1 "Disabled"Update ldaps settings
az ad ds update --name "TestDS.com" --resource-group "rg" --external-access "Enabled" --ldaps "Enabled" --pfx-cert "MIIDPDCCAiSg..." --pfx-cert-pwd "<pfxCertificatePassword>"Update notification settings
az ad ds update --name "TestDS.com" --resource-group "rg" --notify-dc-admins "Enabled" --notify-global-admins "Disabled"Required Parameters
The name of the domain service.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
Domain Configuration Type.
A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.
Enabled or Disabled flag to turn on Group-based filtered sync.
A flag to determine whether or not Secure LDAP is enabled or disabled.
Do not wait for the long-running operation to finish.
Should domain controller admins be notified.
Should global admins be notified.
The list of additional recipients.
A flag to determine whether or not NtlmV1 is enabled or disabled.
The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.
The password to decrypt the provided Secure LDAP certificate pfx file.
List of ReplicaSets.
Resource Forest.
List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.
Sku Type.
A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.
A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.
A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
A flag to determine whether or not TlsV1 is enabled or disabled.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad ds wait
Place the CLI in a waiting state until a condition of the ad ds is met.
az ad ds wait --name
--resource-group
[--created]
[--custom]
[--deleted]
[--exists]
[--interval]
[--timeout]
[--updated]Examples
Pause executing next line of CLI script until the ad ds is successfully created.
az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --createdPause executing next line of CLI script until the ad ds is successfully updated.
az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --updatedPause executing next line of CLI script until the ad ds is successfully deleted.
az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --deletedRequired Parameters
The name of the domain service.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
Polling interval in seconds.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for