How to Provide Access to Azure Resources with Azure AD

When prompted for an Azure AD admin account, use the BWCAdmin@bluewidgetco.com account that you provisioned.  When adding your on-prem forest, provide your domain admin account for your on-prem AD forest.

Let Azure manage your source anchor.

While configuring the synchronization options, select an OU filter and only synchronize users in the SyncedUsers OU.  Check the box to kick off a sync when installation is complete.

If you have configured Azure AD Connect properly, your on-prem AD user (User01) will show up in Azure AD.  Refresh your Azure Active Directory portal and click Users & Groups to see if the account synced up.

Deploy and Configure Azure AD Domain Services

Now that the on-prem AD is synchronizing to Azure AD, it’s time to activate Domain Services in Azure AD.  Domain Services is what will allow you to join your Azure VMs to your Azure Active Directory.

Before activating domain services, you need to deploy a network in the Classic Portal to activate domain services on.  To deploy a Domain Services network, click “Networks” in the classic portal and then click “Create a Virtual Network.”

Provision a virtual network with a 192.168.0.0/16 address space and call it DomainServices.  Deploy it in the same Location that you plan to deploy your VM to (for simplicity, I use East US for everything).  You can leave the DNS Server field blank.  Provision a subnet with an address range of 192.168.1.0/24.

Activate Azure AD Domain Services

Switch over to Active Directory in the Azure Classic Portal, click on your default directory, and then click Configure.  Under the domain services section, click “YES” to “enable domain services for this directory”.  Make sure your BlueWidgetCoXXXX.com domain and DomainServices network are selected and click Save.