Can't find clear documentation to connect local devices to Azure AD Domain Services (AADDS).
Have already successfully setup Azure WAN + Azure Hub + User point-to-site VPN connection.
But don't have clear documentation on how to setup NSG rules to connect to AADDS domain controller.
Any documentation / tips on next troubleshooting steps would be helpful.
Please refer if this can give an idea
Unlike other Azure resources, Azure AD Domain Services is a resource that is directly associated to the Azure AD tenant your Azure subscription is linked to. You need global administrator privileges in your Azure AD tenant to enable Azure AD DS.
By default, your account should have Contributor access to the subscription as that is the RBAC role specified during the deployment. The Owner role is not permitted with the initial deployment. To get owner permissions on your repro tenant:
Add your @microsoft alias to your repro tenant as a guest, assign GA role.
Add your @microsoft alias as a member of the AAD group that is inheriting the RBAC permissions.
Make sure that your MS alias account is listed as a Co-Administrator (or another legacy administrator type) on the subscription in the projected tenant . If you do not see the assignment and are unable to make any change, add your MS alias as co-admin of the subscription in the MS tenant. Add co-admin?
Switch to you repro tenant using your MS account and elevate permissions, (AAD -> Properties -> Access management for Azure resources).
AAD Domain Services Deployment
Pre-requisite steps to deploy AADDS in your test tenant against your projected Azure subscription.
If you project subscription resides in the Microsoft tenant, at some point the security policy in place will add network denies rules that will block the necessary port, causing the deployment to fail, to avoid that situation, create your network, subnets, bastion instance and NSG manually and add the rule to the NSG:
First, Register the Azure AD Domain Services resource provider using the Register-AzResourceProvider cmdlet:
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
Next, Create a resource group using the New-AzResourceGroup cmdlet.
$ResourceGroupName = "myResourceGroup"
$AzureLocation = "westus"
# Create the resource group.
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $AzureLocation Create the virtual network and subnets for Azure AD Domain Services.
$VnetName = "myVnet"
# Create the dedicated subnet for Azure AD Domain Services.
$SubnetName = "DomainServices"
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name $SubnetName `
-AddressPrefix 10.0.0.0/24
# Create an additional subnet for your own VM workloads
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name Workloads `
-AddressPrefix 10.0.1.0/24
# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet= New-AzVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location westus `
-Name $VnetName `
-AddressPrefix 10.0.0.0/16 `
-Subnet $AaddsSubnet,$WorkloadSubnet
Create a network security group
The following PowerShell cmdlets use New-AzNetworkSecurityRuleConfig to create the rules, then New-AzNetworkSecurityGroup to create the network security group. The network security group and rules are then associated with the virtual network subnet using the Set-AzVirtualNetworkSubnetConfig cmdlet.
$NSGName = "aaddsNSG"
# Create a rule to allow inbound TCP port 3389 traffic from Microsoft secure access workstations for troubleshooting
$nsg201 = New-AzNetworkSecurityRuleConfig -Name AllowRD `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 201 `
-SourceAddressPrefix CorpNetSaw `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389
# Create a rule to allow TCP port 5986 traffic for PowerShell remote management
$nsg301 = New-AzNetworkSecurityRuleConfig -Name AllowPSRemoting `
-Access Allow `
-Protocol Tcp `
-Direction Inbound `
-Priority 301 `
-SourceAddressPrefix AzureActiveDirectoryDomainServices `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 5986
# Create the network security group and rules
$nsg = New-AzNetworkSecurityGroup -Name $NSGName `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-SecurityRules $nsg201,$nsg301
# Get the existing virtual network resource objects and information
$vnet = Get-AzVirtualNetwork -Name $VnetName -ResourceGroupName $ResourceGroupName
$subnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $SubnetName
$addressPrefix = $subnet.AddressPrefix
# Associate the network security group with the virtual network subnet
Set-AzVirtualNetworkSubnetConfig -Name $SubnetName `
-VirtualNetwork $vnet `
-AddressPrefix $addressPrefix `
-NetworkSecurityGroup $nsg
$vnet | Set-AzVirtualNetwork
OR For example, you can use the following script to create a rule allowing RDP: (Reference)
Get-AzNetworkSecurityGroup
-Name "nsg-name"
-ResourceGroupName "resource-group-name"
| Add-AzNetworkSecurityRuleConfig
-Name "new-rule-name"
-Access "Allow"
-Protocol "TCP" -Direction "Inbound"
-Priority "priority-number"
-SourceAddressPrefix "CorpNetSaw" // $serviceTagName
-SourcePortRange "*"
-DestinationPortRange "3389"
-DestinationAddressPrefix "*"
| Set-AzNetworkSecurityGroup
And then create a managed domain following the Reference > Enable Azure DS Domain Services using PowerShell | Microsoft Docs
Browse Azure AD -> Enterprise Applications ->All Applications -> Search for each of the following application IDs.
If any of the Enterprise Applications like AzureActiveDirectoryDomainControllerServices or DomainControllerServices weren’t found under all applications under Enterprise applications you will need to manually create them via the following PowerShell example (replace the appID variable with the appID you were missing your repro tenant.
Once the three service principals are created, add them to the group previously created. You can add them via searching for their app ID in Add Member dialog
Connect-AzureAD
$appID = "d87dcbc6-a371-462e-88e3-28ad15ec4e64"
$displayname = "Domain Controller Services"
New-AzureADServicePrincipal -AccountEnabled $true -AppId $appID -AppRoleAssignmentRequired $false -DisplayName $displayname -ServicePrincipalType Application Once the three service principals are created, add them to the group previously created(Domain controller services). You can add them via searching for their app ID in Add Member dialog
You can now enable AAD DS in the portal UI. while logged into to your repro tenant via your repro tenant's Global Admin account.
Provisioning can take some time. You may also get some errors while provisioning, but as long as the process continues, continue to watch the deployment, as the deployment may succeed after sometime.
Also see Troubleshoot domain-join with Azure AD Domain Services | Microsoft Docs
And Tutorial - Create an Azure Active Directory Domain Services managed domain | Microsoft Docs
Got it working now.
The key was to setup NSG rules on the Azure Active Directory Domain Services subnet and have VNET peering enabled between the AADDS service and Gateway service.
Default NSG rules then allow traffic to flow between VNETs.
Key is in assigning security rules to allow traffic from service "AzureActiveDirectoryDomainServices"
Below is the Terraform Code used to deploy the Gateway:
# ...
data "azurerm_client_config" "default" {}
# ...
# VNET
resource "azurerm_virtual_network" "external" {
name = "external-vnet"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
address_space = ["10.2.0.0/16"]
tags = var.azure_tags
dns_servers = [
"10.0.0.4",
"10.0.0.5",
]
}
# Subnet
resource "azurerm_subnet" "external" {
name = "GatewaySubnet"
resource_group_name = azurerm_resource_group.external.name
virtual_network_name = azurerm_virtual_network.external.name
address_prefixes = ["10.2.0.0/24"]
}
# Public Ip for Gateway
resource "azurerm_public_ip" "external" {
name = "external-vnet-gateway-public-ip"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
sku = "Standard"
sku_tier = "Regional"
allocation_method = "Static"
tags = var.azure_tags
}
# Virtual Network Gateway
resource "azurerm_virtual_network_gateway" "external" {
name = "external-vnet-gateway"
location = azurerm_resource_group.external.location
resource_group_name = azurerm_resource_group.external.name
tags = var.azure_tags
type = "Vpn"
vpn_type = "RouteBased"
active_active = false
private_ip_address_enabled = true
enable_bgp = false
sku = "VpnGw1AZ"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.external.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.external.id
}
vpn_client_configuration {
address_space = ["10.3.0.0/24"]
# Azure AD Authentication Settings
vpn_client_protocols = ["OpenVPN"]
aad_tenant = "https://login.microsoftonline.com/${data.azurerm_client_config.default.tenant_id}/"
aad_audience = "...<REDACTED_FOR_PRIVACY>..."
aad_issuer = "https://sts.windows.net/${data.azurerm_client_config.default.tenant_id}/"
}
}
# ###########################################################
# This is important!
# enable global peering between the two virtual network
resource "azurerm_virtual_network_peering" "aadds_external" {
name = "peering-${data.azurerm_virtual_network.aadds.name}-to-${azurerm_virtual_network.external.name}"
resource_group_name = data.azurerm_resource_group.aadds.name
virtual_network_name = data.azurerm_virtual_network.aadds.name
remote_virtual_network_id = azurerm_virtual_network.external.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = false
use_remote_gateways = true
}
resource "azurerm_virtual_network_peering" "external_aadds" {
name = "peering-${azurerm_virtual_network.external.name}-to-${data.azurerm_virtual_network.aadds.name}"
resource_group_name = azurerm_resource_group.external.name
virtual_network_name = azurerm_virtual_network.external.name
remote_virtual_network_id = data.azurerm_virtual_network.aadds.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = true
use_remote_gateways = false
}