How to setup Azure LDAP via Azure AD Domain Services

We have an application sits in our DMZ zone, and we are planning to let our vendors to authenticate from our internal AD. So I have set up a LDAP service using Azure AD Domain Services.

Basically I was using this guide to set it up:

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

My steps to set up Azure LDAP:

 

Azure Domain Services Pricing:

https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/

 

Azure AD vs Azure LDAP vs Azure Domain Services:

Azure AD does not support LDAP. Azure AD Directory Services does support LDAP but Azure AD does not.

You will need AADS (Azure AD Domain Services) and then join the machine to the domain. See https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-features

LDAP bind & LDAP read support: You can use applications that rely on LDAP binds to authenticate users in domains serviced by Azure AD Domain Services. Additionally, applications that use LDAP read operations to query user/computer attributes from the directory can also work against Azure AD Domain Services.

and

Secure LDAP (LDAPS): You can enable access to the directory over secure LDAP (LDAPS). Secure LDAP access is available within the virtual network by default. However, you can also optionally enable secure LDAP access over the internet.

Regarding the pricing: it works with any flavor of Azure AD.

Can I get Azure AD Domain Services as part of Enterprise Mobility Suite (EMS)? Do I need Azure AD Premium to use Azure AD Domain Services? No. Azure AD Domain Services is a pay-as-you-go Azure service and is not part of EMS. Azure AD Domain Services can be used with all editions of Azure AD (Free, Basic, and, Premium). You are billed on an hourly basis, depending on usage.

 

How to Access the Azure Domain Services:

Create a VM inside your Azure and use RSAT to access it.

Remote access to virtual machines (VMs) that run in an Azure Active Directory Domain Services (Azure AD DS) managed domain requires a user account that's a member of the Azure AD DC administrators group in your Azure AD tenant. This is one of the prerequisites.

 

References:

https://github.com/uglide/azure-content/blob/master/articles/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md#task-4—enable-secure-ldap-access-over-the-internet

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ldap

https://www.securew2.com/blog/use-azure-ad-ldap

 

Leave a Comment