Share via


az ad ds

Note

This reference is part of the ad extension for the Azure CLI (version 2.15.0 or higher). The extension will automatically install the first time you run an az ad ds command. Learn more about extensions.

This command group is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Manage domain service with azure active directory.

Commands

Name Description Type Status
az ad ds create

Create a new domain service with the specified parameters.

Extension Experimental
az ad ds delete

The Delete Domain Service operation deletes an existing Domain Service.

Extension Experimental
az ad ds list

List domain services in resource group or in subscription.

Extension Experimental
az ad ds show

Get the specified domain service.

Extension Experimental
az ad ds update

Update the existing deployment properties for domain service.

Extension Experimental
az ad ds wait

Place the CLI in a waiting state until a condition of the ad ds is met.

Extension Experimental

az ad ds create

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Create a new domain service with the specified parameters.

az ad ds create --domain
                --name
                --replica-sets
                --resource-group
                [--domain-config-type {FullySynced, ResourceTrusting}]
                [--external-access {Disabled, Enabled}]
                [--filtered-sync {Disabled, Enabled}]
                [--ldaps {Disabled, Enabled}]
                [--no-wait]
                [--notify-dc-admins {Disabled, Enabled}]
                [--notify-global-admins {Disabled, Enabled}]
                [--notify-others]
                [--ntlm-v1 {Disabled, Enabled}]
                [--pfx-cert]
                [--pfx-cert-pwd]
                [--resource-forest {Disabled, Enabled}]
                [--settings]
                [--sku {Enterprise, Premium, Standard}]
                [--sync-kerberos-pwd {Disabled, Enabled}]
                [--sync-ntlm-pwd {Disabled, Enabled}]
                [--sync-on-prem-pwd {Disabled, Enabled}]
                [--tags]
                [--tls-v1 {Disabled, Enabled}]

Examples

Create Domain Service

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"

Create Domain Service with specified settings (Line breaks for legibility only)

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"
--ntlm-v1 "Enabled" --sync-ntlm-pwd "Enabled" --tls-v1 "Disabled" --filtered-sync "Enabled" --external-access "Enabled"
--ldaps "Enabled" --pfx-cert "cert or path to cert" --pfx-cert-pwd "<pfxCertificatePassword>"
--notify-others "a@gmail.com" "b@gmail.com" --notify-dc-admins "Enabled" --notify-global-admins "Enabled"

Required Parameters

--domain

The name of the Azure domain that the user would like to deploy Domain Services to.

--name -n

The name of the domain service.

--replica-sets

List of ReplicaSets.

Usage: --replica-sets location=XX subnet-id=XX

location: Virtual network location subnet-id: The id of the subnet that Domain Services will be deployed on.

Multiple actions can be specified by using more than one --replica-sets argument.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--domain-config-type

Domain Configuration Type.

Property Value
Accepted values: FullySynced, ResourceTrusting
--external-access

A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.

Property Value
Parameter group: Ldaps Settings Arguments
Accepted values: Disabled, Enabled
--filtered-sync

Enabled or Disabled flag to turn on Group-based filtered sync.

Property Value
Accepted values: Disabled, Enabled
--ldaps

A flag to determine whether or not Secure LDAP is enabled or disabled.

Property Value
Parameter group: Ldaps Settings Arguments
Accepted values: Disabled, Enabled
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Default value: False
--notify-dc-admins

Should domain controller admins be notified.

Property Value
Parameter group: Notification Settings Arguments
Accepted values: Disabled, Enabled
--notify-global-admins

Should global admins be notified.

Property Value
Parameter group: Notification Settings Arguments
Accepted values: Disabled, Enabled
--notify-others

The list of additional recipients.

Property Value
Parameter group: Notification Settings Arguments
--ntlm-v1

A flag to determine whether or not NtlmV1 is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--pfx-cert

The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.

Property Value
Parameter group: Ldaps Settings Arguments
--pfx-cert-pwd

The password to decrypt the provided Secure LDAP certificate pfx file.

Property Value
Parameter group: Ldaps Settings Arguments
--resource-forest

Resource Forest.

Property Value
Parameter group: Resource Forest Settings Arguments
Accepted values: Disabled, Enabled
--settings

List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.

The format of the settings JSON object for Resource Forest: [ { "trusted_domain_fqdn": "XX", "trust_direction": "XX", "friendly_name": "XX", "remote_dns_ips": "XX", "trust_password": "XX" }, ...n ].

Property Value
Parameter group: Resource Forest Settings Arguments
--sku

Sku Type.

Property Value
Accepted values: Enterprise, Premium, Standard
--sync-kerberos-pwd

A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--sync-ntlm-pwd

A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--sync-on-prem-pwd

A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--tls-v1

A flag to determine whether or not TlsV1 is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az ad ds delete

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

The Delete Domain Service operation deletes an existing Domain Service.

az ad ds delete [--ids]
                [--name]
                [--no-wait]
                [--resource-group]
                [--subscription]
                [--yes]

Examples

Delete Domain Service

az ad ds delete --name "TestDomainService.com" --resource-group "TestResourceGroup"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

The name of the domain service.

Property Value
Parameter group: Resource Id Arguments
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Default value: False
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--yes -y

Do not prompt for confirmation.

Property Value
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az ad ds list

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

List domain services in resource group or in subscription.

az ad ds list [--resource-group]

Examples

List Domain Service By Group

az ad ds list --resource-group "TestResourceGroup"

List Domain Service By Sub

az ad ds list

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az ad ds show

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Get the specified domain service.

az ad ds show [--ids]
              [--name]
              [--resource-group]
              [--subscription]

Examples

Get Domain Service

az ad ds show --name "TestDomainService.com" --resource-group "TestResourceGroup"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--name -n

The name of the domain service.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az ad ds update

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Update the existing deployment properties for domain service.

az ad ds update [--domain-config-type {FullySynced, ResourceTrusting}]
                [--external-access {Disabled, Enabled}]
                [--filtered-sync {Disabled, Enabled}]
                [--ids]
                [--ldaps {Disabled, Enabled}]
                [--name]
                [--no-wait]
                [--notify-dc-admins {Disabled, Enabled}]
                [--notify-global-admins {Disabled, Enabled}]
                [--notify-others]
                [--ntlm-v1 {Disabled, Enabled}]
                [--pfx-cert]
                [--pfx-cert-pwd]
                [--replica-sets]
                [--resource-forest {Disabled, Enabled}]
                [--resource-group]
                [--settings]
                [--sku {Enterprise, Premium, Standard}]
                [--subscription]
                [--sync-kerberos-pwd {Disabled, Enabled}]
                [--sync-ntlm-pwd {Disabled, Enabled}]
                [--sync-on-prem-pwd {Disabled, Enabled}]
                [--tags]
                [--tls-v1 {Disabled, Enabled}]

Examples

Update sku

az ad ds update --name "TestDS.com" --resource-group "rg" --sku "Enterprise"

Update domain security settings

az ad ds update --name "TestDS.com" --resource-group "rg" --ntlm-v1 "Enabled" --tls-v1 "Disabled"

Update ldaps settings

az ad ds update --name "TestDS.com" --resource-group "rg" --external-access "Enabled" --ldaps "Enabled" --pfx-cert "MIIDPDCCAiSg..." --pfx-cert-pwd "<pfxCertificatePassword>"

Update notification settings

az ad ds update --name "TestDS.com" --resource-group "rg" --notify-dc-admins "Enabled" --notify-global-admins "Disabled"

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--domain-config-type

Domain Configuration Type.

Property Value
Accepted values: FullySynced, ResourceTrusting
--external-access

A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.

Property Value
Parameter group: Ldaps Settings Arguments
Accepted values: Disabled, Enabled
--filtered-sync

Enabled or Disabled flag to turn on Group-based filtered sync.

Property Value
Accepted values: Disabled, Enabled
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--ldaps

A flag to determine whether or not Secure LDAP is enabled or disabled.

Property Value
Parameter group: Ldaps Settings Arguments
Accepted values: Disabled, Enabled
--name -n

The name of the domain service.

Property Value
Parameter group: Resource Id Arguments
--no-wait

Do not wait for the long-running operation to finish.

Property Value
Default value: False
--notify-dc-admins

Should domain controller admins be notified.

Property Value
Parameter group: Notification Settings Arguments
Accepted values: Disabled, Enabled
--notify-global-admins

Should global admins be notified.

Property Value
Parameter group: Notification Settings Arguments
Accepted values: Disabled, Enabled
--notify-others

The list of additional recipients.

Property Value
Parameter group: Notification Settings Arguments
--ntlm-v1

A flag to determine whether or not NtlmV1 is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--pfx-cert

The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.

Property Value
Parameter group: Ldaps Settings Arguments
--pfx-cert-pwd

The password to decrypt the provided Secure LDAP certificate pfx file.

Property Value
Parameter group: Ldaps Settings Arguments
--replica-sets

List of ReplicaSets.

Usage: --replica-sets location=XX subnet-id=XX

location: Virtual network location subnet-id: The id of the subnet that Domain Services will be deployed on.

Multiple actions can be specified by using more than one --replica-sets argument.

--resource-forest

Resource Forest.

Property Value
Parameter group: Resource Forest Settings Arguments
Accepted values: Disabled, Enabled
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--settings

List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.

The format of the settings JSON object for Resource Forest: [ { "trusted_domain_fqdn": "XX", "trust_direction": "XX", "friendly_name": "XX", "remote_dns_ips": "XX", "trust_password": "XX" }, ...n ].

Property Value
Parameter group: Resource Forest Settings Arguments
--sku

Sku Type.

Property Value
Accepted values: Enterprise, Premium, Standard
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--sync-kerberos-pwd

A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--sync-ntlm-pwd

A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--sync-on-prem-pwd

A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--tls-v1

A flag to determine whether or not TlsV1 is enabled or disabled.

Property Value
Parameter group: Domain Security Settings Arguments
Accepted values: Disabled, Enabled
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False

az ad ds wait

Experimental

Command group 'ad ds' is experimental and under development. Reference and support levels: https://aka.ms/CLI_refstatus

Place the CLI in a waiting state until a condition of the ad ds is met.

az ad ds wait [--created]
              [--custom]
              [--deleted]
              [--exists]
              [--ids]
              [--interval]
              [--name]
              [--resource-group]
              [--subscription]
              [--timeout]
              [--updated]

Examples

Pause executing next line of CLI script until the ad ds is successfully created.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --created

Pause executing next line of CLI script until the ad ds is successfully updated.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --updated

Pause executing next line of CLI script until the ad ds is successfully deleted.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --deleted

Optional Parameters

The following parameters are optional, but depending on the context, one or more might become required for the command to execute successfully.

--created

Wait until created with 'provisioningState' at 'Succeeded'.

Property Value
Parameter group: Wait Condition Arguments
Default value: False
--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

Property Value
Parameter group: Wait Condition Arguments
--deleted

Wait until deleted.

Property Value
Parameter group: Wait Condition Arguments
Default value: False
--exists

Wait until the resource exists.

Property Value
Parameter group: Wait Condition Arguments
Default value: False
--ids

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.

Property Value
Parameter group: Resource Id Arguments
--interval

Polling interval in seconds.

Property Value
Parameter group: Wait Condition Arguments
Default value: 30
--name -n

The name of the domain service.

Property Value
Parameter group: Resource Id Arguments
--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Property Value
Parameter group: Resource Id Arguments
--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

Property Value
Parameter group: Resource Id Arguments
--timeout

Maximum wait in seconds.

Property Value
Parameter group: Wait Condition Arguments
Default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.

Property Value
Parameter group: Wait Condition Arguments
Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

Property Value
Default value: False
--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

Property Value
Default value: False
--output -o

Output format.

Property Value
Default value: json
Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Property Value
Default value: False