For Some time it is possible to join devices to the Azure AD. Personally I know this was working for Windows 10 but Windows Server 2019, in this blog post I’ll show some ideas and thoughts. It would be nice if native Azure MFA would work to log on. Also for some options your Azure AD needs to be at least P1.
Organizations can now utilize Azure Active Directory (AD) authentication for their Azure virtual machines (VMs) running Windows Server 2019 Datacenter edition or Windows 10 1809 and later. Using Azure AD to authenticate to VMs provides you with a way to centrally control and enforce policies. Tools like Azure Role-Based Access Control (RBAC) and Azure AD Conditional Access allow you to control who can access a VM. This Blog shows you how to create and configure a Windows Server 2019 VM to use Azure AD authentication and how to remove the Azure AD join and switch back to Active directory Domain join.
The following Windows distributions are currently supported during the preview of this feature:
- Windows Server 2019 Datacenter
- Windows 10 1809 and later
So the machine below is in a workgroup but Azure AD joined. on a server is it not visible that the machine is Azure AD joined in the UI.
In the Configuration properties in an Azure VM we can set the following properties. Login with AAD credentials. This is during creation of the new VM that way the VM is directly Azure AD joined.
Just deployed a new VM. and this VM is Azure AD joined, but what if you want to domain join this machine can we do a hybrid domain join for short NO.
Remember Some options only work if you have a P1 or a P2 Azure AD license here you can find the differences https://azure.microsoft.com/en-us/pricing/details/active-directory/
Looking at the devices in the Azure AD devices we can see the Server is Azure AD Joined.
Giving Access to the VM can be based on RBAC
Two RBAC roles are used to authorize VM login:
- Virtual Machine Administrator Login: Users with this role assigned can log in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
To allow a user to log in to the VM over RDP, you must assign either the Virtual Machine Administrator Login or Virtual Machine User Login role. An Azure user with the Owner or Contributor roles assigned for a VM do not automatically have privileges to log in to the VM over RDP. This is to provide audited separation between the set of people who control virtual machines versus the set of people who can access virtual machines.
Select the VM and choose IAM press Add and add role assignment. just as you do with other workloads.
Or use the Azure CLI
$username=(az account show –query user.name –output tsv)
$vm=(az vm show –resource-group rsg-adjoin001 –name 2019vmadjoin –query id -o tsv)
az role assignment create –role "Virtual Machine Administrator Login" –assignee $username –scope $vm
But what If we want to do a Domain join ?
There is no hybrid domain join and no console unjoin. Redeploy would not be the best option right.
With the DSRegCmd /Leave we can unregister the VM from the Azure AD.
now back to the Domain join without a reboot we can join the VM direct to the Classic Active directory.
Remember a reboot is needed for this.
Now the VM is normal AD joined.
This option is still in preview and after removing the Azure AD still shows that the VM is Azure Ad joined, it seems there is no trigger to remove the AADLoginForWindows extention in the VM.
The hybrid join could me a great addition to make VM’s connectable with Azure MFA. But for now we can assign policy’s and rules.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile