Azure Infrastructure as a Service (IaaS) is a great option for SharePoint Server deployments for those use cases and/or organizations where SharePoint Online is not appropriate or sufficient. IaaS can be used for dev/test scenarios or a part of a production, cloud-based infrastructure.
With SharePoint Server 2016, deployment without Active Directory is no longer supported; Active Directory is mandatory for any scalable version of SharePoint Server. Until now, the requirement for an Active Directory Domain was satisfied by provisioning a Windows Server Virtual Machine (VM) and configuring the server as a Domain Controller.
The Azure Active Directory Domain Services (currently in preview) offers an alternative. Rather than deploying and configuring a VM, the Domain Service could be enabled within an Azure Active Directory instance and associated with a new or pre-existing Virtual Network. Once the initial setup is complete, virtual machines deployed into the virtual network can be joined to the Active Directory domain. Once the machines are joined to the domain, the domain can be utilized as if it was being provided by an On-Prem or IaaS Windows Server.
The advantage? Simpler, more cost-effective Active Directory Domain management without the need to configure and run an additional server.
Since the Azure AD Domain Service is in preview, I decided to test the service within the context of a SharePoint IaaS-based deployment. In my testing, I chose to use the SharePoint Server 2016 Beta 2 image (see SharePoint 2016 Install ), but the results are applicable to any SharePoint version (e.g. 2007, 2010, 2013, 2016) using an Active Directory based deployment
The end result – a domain that can be used to support SharePoint Active Directory users and groups! For example, a domain name of sp2016ad.onmicrosoft.com can provide a SharePoint setup login of sp2016ad\sp_setup. (As of this writing, the service is only supported in “classic” mode, with support of Azure Resource Management forthcoming.)
The detailed instructions can be found below.
This document Azure AD Domain Services (Preview) – Getting started provides a step-by-step process for the setup.
Here is an outline of the steps for SharePoint
- Create Azure Active Directory
- Or use an existing Azure Active Directory
- NOTE: Each Azure Active Directory only supports a single Active Directory Servic
- Create the ‘AAD DC Administrators’ group in Azure Active Directory (see Figure 1)
- Create a dedicated account
- Give this account Azure Admin Rights (NOTE: it will be used to create users)
- Add the account to the AAD DC Administrator group
- Enable Azure AD Domain Services (see Figure 2)
- Option is found in lower portion (scroll down) of directory “Configure” tab
- Naming Rules
- Pay attention to Domain Name format rules
- Wait for Redundant IPs to appear for DNS
- Update DNS settings for the Azure virtual network
- Create Domain Users (see Figure 3)
- Use Windows Azure Active Directory PowerShell
- $msolcred = Get-Credential ## NOTE: This must be a Azure Active Directory Account, not a Microsoft Account
- Connect-MsolService -Credential $msolcred
- $setpass = “Pass@ABCD”
- New-MsolUser -UserPrincipalName sp_setup@rjg916testad.onmicrosoft.com -DisplayName sp_setup -ForceChangePassword $false -PasswordNeverExpires $true -Password $setpass
- Use Windows Azure Active Directory PowerShell
Figure 1: Azure Active Directory and Group
Figure2: Azure AD Domain Service
Figure 3: Active Directory Users
Under configure on AAD, can I configure multiple vnets from another subscription, or is it limited to just one vnet?
The setting “CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK”
Help tip: CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK
Specifies the virtual network and the subnet on which Domain Services are available. Azure AD Domain Services are available only on regional virtual networks. Virtual networks that use the legacy affinity groups mechanism need to be migrated to regional virtual networks.
My Azure AD does not allow me to create services, so all of my services are stored in another subscription. Since I am using an Azure credit that requires a personal Microsoft account, this is a separate Azure login as well. My domain is an Organizational account with limited ability to create Azure services.
Nevermind my previous comment, MS support sent me this link to add my second Azure account as a admin on AAD, https://azure.microsoft.com/en-gb/documentation/articles/active-directory-how-subscriptions-associated-directory/#manage-the-directory-for-your-office-365-subscription-in-azure
If I am keeping both internal and external users of my organization in the Azure Active Directory (i.e. considering ACS is dead). my SharePoint Server is on IaaS VM on azure, and SharePoint Server hosts internet facing website, then what type of authentication do I use to authenticate these users?
Especially external users who don’t use domain joined PCs. Will all my users see the Windows Login Box when they try to access that internet facing website? Or do I need to use ADFS to display company login page?