How to Create and Configure an Azure AD DS managed domain

Modified on Fri, 23 Jun 2023 at 10:10 AM

DescriptionHere is a brief guide on creating and configuring a Microsoft Azure Active Directory Domain Services managed domain.


Before beginning, this user guide outlines a set of prerequisites that need to be met:

  • An active Azure subscription.
  • If you don't have an Azure subscription, create an account. Here is our user guide detailing the registration process within the system.
  • An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
  • You need Application Administrator and Groups Administrator Azure AD roles in your tenant to enable Azure AD DS.
  • You need Domain Services Contributor Azure role to create the required Azure AD DS resources.
  • A virtual network with DNS servers that can query necessary infrastructure such as storage. DNS servers that can't perform general internet queries might block the ability to create a managed domain.


Sign in to the Azure portal

To get started, the first step is to sign in to the system. To do this, click on this link, then click the "Sign in" button, and enter your login credentials when prompted.


Create a managed domain

Navigate to the Home page on the Azure portal and choose the "Create a resource" option.

Use the Search Bar present on this page to locate the Azure AD Domain Services.


After performing the previous step, a Microsoft Azure Marketplace page will open. On this page, you need to click the "Create" button within the Azure AD Service block.


Upon clicking this button, a drop-down menu will be displayed, and you should choose the sole available option from the list.

Next, the Create Azure AD Domain Services wizard will be launched. 


In this wizard, you will come across seven tabs containing parameters. However, only the parameters within the first tab (Basics) need to be configured. The remaining tabs will be automatically filled out with the system-generated parameters.

  • Basics Tab: here you can set some project details.

  • Subscription: choose the Azure Subscription where you intend to create the managed domain.
Please note that a free Microsoft Azure AD subscription does not support the functionality of SSO access. If you wish to configure Microsoft Azure as an IdP to enable SSO access, you will need to upgrade your subscription. Instructions on how to perform the upgrade can be found in this article.
  • Resource Group: choose the Resource group to which the managed domain should be assigned. You have the option to either create a new resource group or select an existing one.
  • DNS domain name: enter a DNS domain name of your choice.

The following DNS name restrictions also apply:

- Domain prefix restrictions: the prefix of your specified domain name must contain 15 or fewer characters.

- Network name conflicts: the DNS domain name for your managed domain shouldn't already exist in the virtual network.

  • Region: select the Azure Location where you wish to create the managed domain. If you choose a region that supports Azure Availability Zones, the Azure AD DS resources will be distributed across zones to enhance redundancy.
  • SKU: this parameter determines the performance and backup frequency of the managed domain. You can modify the SKU of the managed domain after its creation.


To quickly create a managed domain, you can select Review + create to accept additional default configuration options. 


The following defaults are configured when you choose this create option:

  • Creates a virtual network named aadds-vnet that uses the IP address range of 10.0.2.0/24.
  • Creates a subnet named aadds-subnet using the IP address range of 10.0.2.0/24.
  • Synchronizes All users from Azure AD into the managed domain.


Select Review + create to accept these default configuration options.


On the Summary page of the wizard, carefully review the configuration settings for your managed domain. If needed, you can navigate back to any step of the wizard to make necessary changes. You can also Download a template for automation.


To initiate the creation of the managed domain, click on the "Create" button. 


Please note that certain configuration options, such as DNS name or virtual network, cannot be modified once the Azure AD DS managed domain has been created. 

To proceed, press the "OK" button. The deployment process for your managed domain may take up to one hour. During this time, the page will continuously update with progress on the deployment, including the creation of new resources in your directory.


After a certain period of time, you will be able to locate the newly created domain in the Recent section on the Home page of the Azure portal.


When you click on the name of the newly created domain, its dedicated page will be opened. On this page, you will observe an indication confirming that the domain is currently operational and running.


Update DNS Server Settings

The next required step is to update the DNS server setting for your virtual network. You can do it automatically by pressing the "Configure" button located on the Required Configuration Steps card you can find on this page. 

Or you can do it manually. To do so, firstly, you should find the IP addresses of this domain in the Properties tab and copy them to the clipboard. 

Next, navigate to the Resource Group section of the Azure Portal. You can find it on the Home page.

Select the Resource group to which your domain belongs.


Then, locate and open the Virtual Network file associated with your domain.


When you click on the name of this file, a new window will open, displaying all the parameters of the Virtual Network. In this window, navigate to the DNS servers section and choose the Custom option by selecting the corresponding radio button.


Paste the previously copied IP addresses into the designated fields that have appeared. 


Then, click the "Save" button to save the changes.



Azure AD DS password hash synchronization

The next required step is to enable Azure AD Domain Services password hash synchronization. 

For Azure AD DS to authenticate users on the managed domain, it requires password hashes in a format compatible with NT LAN Manager (NTLM) and Kerberos authentication. However, Azure AD does not generate or store password hashes in the required format for NTLM or Kerberos authentication by default. This means that until you enable Azure AD DS for your tenant, Azure AD does not automatically generate these NTLM or Kerberos password hashes based on users' existing credentials. It's important to note that Azure AD also does not store any password credentials in clear-text form for security reasons.

Once appropriately configured, the usable password hashes are stored in the managed domain.


Please note that a free Microsoft Azure AD subscription does not support the functionality. If you wish to process this instruction further, you will need to upgrade your subscription. 


In order for a user to reset their password, it is necessary to configure the Azure AD tenant for a Self-Service Password Reset (SSPR). 

This user guide does not include instructions on how to configure the SSPR. However, you can find links to an article and an official video tutorial that provide detailed instructions on how to set it up.


To change the password, you need to begin by opening the Azure AD Access Panel page

The process of generating and storing password hashes differs for cloud-only user accounts created in Azure AD compared to user accounts synchronized from your on-premises directory using Azure AD Connect. In this tutorial, we will focus on working with a basic cloud-only user account. If you require information on how to enable password synchronization in Azure AD DS for hybrid environments, please refer to this link for more details.


From there, click on your profile picture and access the View Account section.


Once you have completed the previous step, a new window will open. In this window, navigate to the left-hand menu and select the "Password" option. 


Next, a new window will appear, presenting a form that allows you to change your current password.


Once appropriately configured, the usable password hashes are stored in the managed domain.


Once you have completed this process, your Azure AD DS domain is ready to be configured as an IdP. For more information on this topic, please refer to the following articles.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article