Integrate Microsoft Entra ID with Active Directory Domain Services

  • 3 minutes

Now that you have Microsoft Entra ID set up, you need to integrate it with your on-premises Active Directory.

Configure a consistent sign-in experience

We recommend that you configure a consistent sign-on experience with the same usernames, passwords, or multifactor authentication controls as you use in your on-premises Active Directory Domain Services (AD DS) environment. This lets your users use one set of credentials to access their resources in Azure Virtual Desktop and other Microsoft cloud services.

There are several synchronization options available:

  • Password Hash Sync – usernames and hashes of passwords are synchronized to Microsoft Entra ID
  • Pass-through Authentication – your on-premises directory service can perform simple authentication for Microsoft cloud services, requiring little on-premises configuration on your domain controllers
  • Active Directory Federation Services – more complex partner federation, RSA tokens, and Smartcard authentication. If you use this option, you'll need to provision additional on-premises servers and ensure they are highly available.

You can use Microsoft Entra Connect to set up synchronization.

Configure Active Directory Domain Services for Azure Virtual Desktop

In Azure Virtual Desktop, your remote sessions use AD DS the same way that your current virtual and physical desktop environment on premises does for session logins at the VM layer. You have the following options to connect with or provision AD DS for Azure Virtual Desktop:

  • Deploy a domain controller in a hosted Windows Server VM running in Azure. The domain controller runs standalone in a virtual network or connects with your on-premises directory service. This is the least expensive method, but it requires you to manage the virtual machine (VM). You need to make sure the VM is highly available and connected to the same virtual network your Azure Virtual Desktop session hosts are connected to.

    Illustration of an Active Directory Domain Server hosted in an Azure virtual machine that has its virtual network peered to Azure Virtual Desktop.

  • Provision Microsoft Entra Domain Services. This is AD DS as a service. You don't have to maintain any domain controller VMs. You connect Microsoft Entra Domain Services to the same virtual network as your Azure Virtual Desktop environment. You can use Microsoft Entra Domain Services with or without a local AD. If you connect it to your on-premises domain, it behaves like your current domain controllers, without the management overhead.

    Illustration of Microsoft Entra Domain Services that has its virtual network peered to Azure Virtual Desktop. .

  • Connect your network to Azure and establish a connection between your datacenter and Azure. When making the connection, ensure that the domain controllers you operate are securely available to Azure Virtual Desktop VMs running in Azure. You can use a VPN connection or use Azure ExpressRoute for connectivity.

    Illustration of an on-premises Active Directory connected to Microsoft Entra ID with Azure ExpressRoute and Microsoft Entra Connect.