The intent of this tutorial is to demonstrate how to configure Azure Active Directory to allow domain joins for Azure VMs and to demonstrate the process of joining an Azure VM to Azure AD. I also intend to explain how to synchronize on-prem AD to Azure Active Directory, which will allow on-prem users to access the Azure AD-joined VM by using their existing credentials - without the need for a VPN connection.
To demonstrate this functionality, I am going to add a custom domain to Azure Active Directory. I will then deploy and configure Azure AD Connect so I can synchronize on-prem AD users to Azure Active Directory. After I’ve gotten synchronization setup, I will activate Azure AD Domain Services in Azure Active Directory so it will allow domain joins from Azure virtual machines.
Once I have my Azure Active Directory prepared and configured to accept domain joins, I will deploy a virtual network in Azure to house virtual machine. I will deploy a network Security group and a couple Network Security Rules to lock down access to cloud environment to just my local network. With the virtual network deployed, configured, and secured, I will deploy a virtual machine in Azure, join it to the Azure Active Directory domain, and provide access to users who have been synced from the on-prem Active Directory.
Lastly, I will test access.
This tutorial assumes the reader has a basic familiarity with Azure navigation and has also already provisioned an Azure subscription with a default directory. It also assumes familiarity with provisioning an on-prem Active Directory forest. Rather than be a “step-by-step” tutorial, this is meant to be more of a “guided tour”.
Since this tutorial is going to, in part, explain how to sync an on-prem AD to Azure AD, it’s best if you have an on-prem Active Directory to work with (lab preferably). If you want to follow along but do not have a lab environment at your disposal, login to your Azure Resource Manager portal and deploy a virtual network called OnPrem in Azure with an address space of 184.108.40.206/16 and a default subnet called On-Prem-Default. Assign an address range of 220.127.116.11/24 to the subnet.