Identify Azure Virtual Desktop requirements for Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra

Microsoft Azure Virtual Desktop is a cloud-based desktop and application virtualization service that runs on the Azure platform. It offers the ability to deliver a modern and interactive user experience with remote access to organizational applications and data on Azure.

When preparing for the AZ-140 Configuring and Operating Microsoft Azure Virtual Desktop exam, a critical area of understanding is the Azure Virtual Desktop requirements for various Active Directory Services, such as Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Microsoft Azure Active Directory (Azure AD).

1. Active Directory Domain Services (AD DS)

Active Directory Domain Services is a Microsoft technology that provides a variety of network services, including Lightweight Directory Access Protocol (LDAP), Kerberos-based authentication, DNS-based naming, and other network protocols.

Azure Virtual Desktop requires a domain controller running AD DS that could either be on Azure, on-premises, or both (hybrid). It serves as the secure store of all user accounts, computer accounts, and other control information.

Key points:

• To configure Azure Virtual Desktop to use AD DS, the virtual machines (VMs) must be joined to the domain. The VMs must also be able to reach the domain controller using the necessary networking configurations.
• Also, the deployment of Azure Virtual Desktop should be planned in the same Active Directory forest as the user accounts.

2. Azure Active Directory Domain Services (Azure AD DS)

Azure AD DS provides managed domain services similar to AD DS; it provides a wide range of domain services with less operational maintenance.

Azure Virtual Desktop uses Azure AD DS for domain join without a line of sight to a domain controller, and it enables users to log in using their corporate credentials without the need for a VPN.

Key points:

• Azure Virtual Desktop supports Azure AD DS for VM’s domain join, but other services like FSLogix require traditional Active Directory over LDAP, which is not supported by Azure AD DS.
• Currently, Azure AD DS doesn’t support the usage of Security Groups for assignments. Workspaces, Host Pools, App Groups must be directly assigned to users.

3. Microsoft Azure Active Directory (Azure AD)

Azure AD is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in external resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.

Azure Virtual Desktop can leverage Azure AD for multifactor authentication, conditional access policies, and integrates with Microsoft Endpoint Manager for VM management at scale.

Key points:

• Azure Virtual Desktop needs both traditional AD DS and Azure AD. A user logs into Azure AD, and Azure Virtual Desktop uses that token to search for the user in the traditional AD DS.
• Azure AD needs to sync with traditional AD DS either using Azure AD Connect or Azure AD Domain Services.
• From 2022 onwards, Microsoft Azure Virtual Desktop will start supporting Azure AD as a standalone identity provider, which will reduce the complexity of deployments.

Given Microsoft’s continuous innovation and iteration on its services, the features and capabilities mentioned here may change or expand over time. Therefore, candidates preparing for the AZ-140 exam should regularly check for updates in Azure Virtual Desktop’s requirements for AD DS, Azure AD DS, and Azure AD in Microsoft’s official documentation.

Practice Test

True or False: If you are using Azure Active Directory (Azure AD), you do not need Active Directory Domain Services (AD DS) for Azure Virtual Desktop.

• True

• False

Answer: False

Explanation: Both Azure AD and AD DS are required for Azure Virtual Desktop. While Azure AD provides identity management, AD DS ensures that you can maintain domain-joined devices for virtual desktops.

What is the purpose of Azure Active Directory Domain Services (Azure AD DS)?

• A. Provides cloud-based domain services

• B. Provides on-premises directory services

• C. Replaces the need for on-premises domain controllers

• D. All of the above

Answer: A. Provides cloud-based domain services

Explanation: Azure AD DS provides scalable, high-availability domain services without the need to deploy, manage, and patch domain controllers in the cloud. It does not replace the need for on-premises domain controllers.

True or False: Azure Directory Domain Services can integrate with Azure AD.

• True

• False

Answer: True

Explanation: Azure Directory Domain Services provides a simple way to give cloud workloads and services an easy to manage, light-weight identity management solution that supports directory synchronization with Azure AD.

If you are using an on-premises Active Directory (AD), can you connect to Azure AD without using Azure AD Connect?

• A. Yes

• B. No

Answer: B. No

Explanation: To sync your on-premises AD with Azure AD, you must use Azure AD Connect. This tool synchronizes your on-premises AD with Azure AD and helps manage identities across systems.

What is the purpose of Active Directory Domain Services in Azure Virtual Desktop?

• A. Identity Management

• B. Domain-Joined Devices

• C. Encryption of Data

• D. Data Backup

Answer: B. Domain-Joined Devices

Explanation: While Azure AD helps in identity management, AD DS ensures that the Azure Virtual Desktop can maintain domain joined devices.

True or False: Microsoft Azure AD can be used as an alternative to Azure AD DS.

• True

• False

Answer: False

Explanation: Azure AD is for identity management while Azure AD DS provides domain services similar to on-premises AD DS but without the need for local infrastructure.

Which component of Microsoft Azure is responsible for identity management?

• A. Azure AD DS

• B. Azure AD

• C. AD DS

• D. None of the above

Answer: B. Azure AD

Explanation: Azure AD is the component of Microsoft Azure responsible for identity management. It controls access and permissions for users and groups.

True or False: Azure Active Directory Domain Services support Group Policy.

• True

• False

Answer: True

Explanation: Azure Active Directory Domain Services (Azure AD DS) provides Group Policy, a feature that simplifies the management and decrease the security risks for systems within an Active Directory environment.

Which of the following is not a feature of Azure Active Directory (Azure AD)?

• A. Application Management

• B. Multi-Factor Authentication

• C. Self-Service Password Reset

• D. On-premises Domain Services

Answer: D. On-premises Domain Services

Explanation: While Azure AD provides application management, multi-factor authentication, and self-service password reset, it does not provide on-premises domain services.

True or False: Azure Virtual Desktop requires Azure Active Directory Domain Services (Azure AD DS) for domain-joined devices.

• True

• False

Answer: True

Explanation: Azure Virtual Desktop uses Azure AD DS to maintain domain-joined devices in the Azure environment.

Interview Questions

What is the requirement for Azure Virtual Desktop (AVD) in terms of Active Directory Domain Services (AD DS)?

Azure Virtual Desktop requires a domain controller that can be connected to your Azure Virtual Network using AD DS. This domain controller can be in Azure or on-premises.

How does Azure Active Directory Domain Services (Azure AD DS) interact with Azure Virtual Desktop?

Azure AD DS can be used to simplify domain management for virtual desktops. It provides managed domain services like domain join, group policy, LDAP, and Kerberos/NTLM authentication that are fully compatible with Azure Virtual Desktop.

Can I use Microsoft Azure Active Directory (Azure AD) alone to manage Azure Virtual Desktop?

No, you cannot use just Azure AD. Azure AD needs to be integrated with AD DS or Azure AD DS to provide complete functionality for Azure Virtual Desktop.

What kind of network connectivity is required for Azure Virtual Desktop?

Azure Virtual Desktop requires either ExpressRoute or VPN to connect on-premises AD DS to Azure.

What are the responsibilities of Azure AD in connection with Azure Virtual Desktop?

Azure AD handles identity management for Azure Virtual Desktop. It provides Single Sign-On (SSO), Multi-Factor Authentication (MFA), and helps with securing applications and data.

What are the requirements when synchronizing Azure AD with on-premises Active Directory for configuring Azure Virtual Desktop?

The synchronization should be done using Azure AD Connect and it should include synchronization of Password Hash Synchronization or Pass-through Authentication.

Why is it essential to synchronize the credentials of users between Azure AD and on-premises AD?

This synchronization is necessary to enable Single Sign-On (SSO) capabilities that enable users to log in with the same credentials on-premises and in Azure.

How do you join Azure Virtual Desktop to an Active Directory domain?

During Azure Virtual Desktop setup, you can specify the fully qualified domain name (FQDN) of your AD DS, along with a domain-join account (username and password).

Can Azure AD DS be used as a standalone service for managing Azure Virtual Desktops?

No, Azure AD DS should be used in conjunction with Azure AD. While Azure AD DS offers domain services, Azure AD handles identity services.

Where should the Azure Virtual Desktop be located in relation to the domain controller in AD DS or Azure AD DS?

Azure recommends that the Azure Virtual Desktop and domain controller should be co-located in the same Azure Virtual Network or VNet for best performance.

How does Azure AD affect the security of Azure Virtual Desktop?

Azure AD enhances the security of Azure Virtual Desktop by providing features such as conditional access policies, identity protection, and multi-factor authentication.

Does Azure AD provide group policies for Azure Virtual Desktops?

No, Azure AD does not provide group policies. Group policies are provided by AD DS or Azure AD DS.

What are the benefits of using Azure AD DS for Azure Virtual Desktop?

Azure AD DS manages domain services like domain join, group policy, and authentication methods. It simplifies management and maintenance tasks but still provides these necessary services for Azure Virtual Desktop.

How do end-users authenticate while using Azure Virtual Desktop?

End users authenticate via Azure AD initially. After authentication, they connect to the Azure Virtual Desktop using Remote Desktop Protocol (RDP) and authenticate again against AD DS or Azure AD DS.

Can you use cloud-only identities with Azure Virtual Desktop?

Azure Virtual Desktop supports both cloud-only identities (Azure AD) and hybrid identities (where user identities are synchronized between Azure AD and on-premises AD).