Azure Active Directory Domain Services Limitations

published:
I work with Azure Active Directory (AAD) and enabled the Domain Services (AAD DS) feature to manage all my virtual machines and user-accounts. Domain Services is basically a Windows Domain Controller (in fact there are two of them), which provides Domain Join, LDAP and Authentication for your cloud hosted network and machines.

As a result, all users in the AAD can login to the Windows machines by using their AAD-Account.

From the documentation (https://azure.microsoft.com/en-us/services/active-directory-ds/). Your domain controller as a service
  • “Lift-and-shift” apps to Azure more easily than ever
  • Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
  • Rely on a managed, highly-available service
  • Get started in minutes, pay as you go
  • Develop and test with no identity worries
  • Manage Azure virtual machines effectively using Group Policy
I use the following setup, often referred as "cloud-only organizations"


Known Limitations

While still in the preview phase, I would like to point out some specific issues that I think should be known before using Azure Active Directory Domain Services. Some of them are by design, others are hopefully subject to change.

Mixed Up Accounts

https://social.msdn.microsoft.com/Forums/azure/en-US/fc2ef4b7-3c7a-4b18-ad6d-109567a00e02/selfsourced-and-microsoftsourced-accounts-are-mixed-up-domain-services?forum=WindowsAzureAD#fc2ef4b7-3c7a-4b18-ad6d-109567a00e02

Missing Mapping Information

https://social.msdn.microsoft.com/Forums/azure/en-US/c5f1d5ab-7b8a-478c-8524-6504c058edb1/azure-active-directory-domain-services-portal-created-accounts-sync-different-than-graphapi-created?forum=WindowsAzureAD#3f819ea0-5425-47f1-ab54-1518b58076f5

Deleted Accounts Issue

As long as there is a account with the same UserPrincipalName in the Tenant, the newer accounts doesn't get synced correctly. The deleted accounts needs to be deleted completely from the AAD. --> WIKI LINK

User Name Length

https://social.msdn.microsoft.com/Forums/azure/en-US/f69e8452-d635-4f29-a62a-4b8184c35256/azure-active-directory-domain-services-username-limitations?forum=WindowsAzureAD#f69e8452-d635-4f29-a62a-4b8184c35256

Account Expiration

https://social.msdn.microsoft.com/Forums/azure/en-US/d4a0bc7d-f450-4a0c-8c62-c3ec9715733d/accounts-are-expired-in-azure-active-directory-domain-services-aad-ds-even-if-the?forum=WindowsAzureAD

Comments

Post a Comment

Popular posts from this blog

Home Assistant in Docker with Nginx and Let's Encrypt on Raspberry Pi

published:
Image
This guide will help to you to setup home assistant as a docker container and make it publicly available behind a ngix proxy, all running in containers. Additionally, we'll use certbot to keep your ssl certificates in sync and Duck DNS so that you access it even with a dynamic ip address. There we go... Dockerized Home Assistant behind Nginx with Let's Encrypt and DuckDNS :) This guide is partially based on the generic guide on how to install Ngix and Let's Encrypt by Philipp ( Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium ) In order to start, please make sure you have the following setups done already Home Assistant installed as docker container and available under port 8123 Create a DuckDNS account and register your subdomain You know how to redirect a port from your router to the computer running docker We'll be using docker-compose, which is much simpler to use than the plain docker cli. If you are not familiar with docker-compose,
Read more

Migrating from Arduino IDE to Visual Studio Code to PlatformIO

published:
Image
Like every other beginner on ESP8266 I started with my first steps in the official Arduino IDE. I was impressed by the simplicity and easy to use examples that were build-in to the UI. Also the simple UI made it easy to start in uncharted land, especially for someone that did never develop embedded firmware. The library manager let me install additional libraries to play around with, and it also mostly worked. Standard Arduino Editor (IDE) Needless to say, I missed a lot of the features that I was used to from more powerful IDE's like IntelliJ or Visual Studio. I think even Visual Basic 6 had a better IntelliSense support than the Arduino IDE. In fact, Arduino IDE has none. Also, the lack of a dependency management (for libraries) makes it really hard to share code between multiple peers, as you have to manually install the correct version of a library in the global libraries folder. Guess what happens if you use different versions? But overall the Arduino IDE is a g
Read more

Use Bodmer TFT_eSPI Library with PlatformIO

published:
Image
If you start playing around with TFT on your ESP8266 or ESP32, you will arrive at the excellent TFT_eSPI Library by Bodmer . It's not only magnitudes faster than the Adafruit driver , it's also comes with support for a wide range of display drivers. Test results of the TFT_eSPI library Unfortunately it has one catch: The library is not really ready to be included as a library in your projects as it requires adjustments in the library itself. While it's not uncommon to define your settings with #define directives, this library expects you to patch files to configure it . The official way goes like this Locate the library folder (Windows would be Documents\Arduino\libraries\TFT_eSPI ) and create your own setup in the library sub folder User_Setups To use your configuration, patch the file User_Setup_Select.h  to include your configuration This has obviously some disadvantages. At latest when you wan't to update the library or work with different screens at the same tim
Read more