Active Directory

Azure Active Directory (Azure AD) is a cloud-based identity and access management (IAM) service that allows organizations to manage user access and authentication to various cloud and on-premises applications and services. Azure AD also provides access management capabilities, allowing organizations to control user access to applications and services based on their roles, groups, and permissions. It supports role-based access control (RBAC), which allows organizations to define roles and permissions for different users and groups, and assign them to specific resources. Azure AD integrates with various Azure services and other Microsoft products, such as Office 365, Azure Portal, and Dynamics 365, as well as with third-party applications and services. It also provides advanced security features, such as identity protection, threat detection, and conditional access policies, which help organizations secure their identities and data. Azure AD provides a single sign-on (SSO) experience for users, allowing them to authenticate once and access multiple applications and services without needing to sign in again. It supports various authentication methods, including username and password, multi-factor authentication, and social identity providers such as Google, Facebook, and Microsoft accounts.‍

Terraform Name

azurerm_active_directory_domain_service

Active Directory

attributes:

The following arguments are supported:

domain_name - (Required) The Active Directory domain to use. See official documentation for constraints and recommendations. Changing this forces a new resource to be created.
domain_configuration_type - (Optional) The configuration type of this Active Directory Domain. Possible values are FullySynced and ResourceTrusting. Changing this forces a new resource to be created.
filtered_sync_enabled - (Optional) Whether to enable group-based filtered sync (also called scoped synchronisation). Defaults to false.
secure_ldap - (Optional) A secure_ldap block as defined below.
location - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.
name - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.
notifications - (Optional) A notifications block as defined below.
initial_replica_set - (Required) An initial_replica_set block as defined below. The initial replica set inherits the same location as the Domain Service resource.
resource_group_name - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.
security - (Optional) A security block as defined below.
sku - (Required) The SKU to use when provisioning the Domain Service resource. One of Standard, Enterprise or Premium.
tags - (Optional) A mapping of tags assigned to the resource.

A secure_ldap block supports the following:

enabled - (Required) Whether to enable secure LDAP for the managed domain. For more information, please see official documentation on enabling LDAPS, paying particular attention to the section on network security to avoid unnecessarily exposing your service to Internet-borne bruteforce attacks.
external_access_enabled - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to false.
pfx_certificate - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).
pfx_certificate_password - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).

A notifications block supports the following:

additional_recipients - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.
notify_dc_admins - (Optional) Whether to notify members of the AAD DC Administrators group when there are alerts in the managed domain.
notify_global_admins - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.

An initial_replica_set block supports the following:

subnet_id - (Required) The ID of the subnet in which to place the initial replica set. Changing this forces a new resource to be created.

A security block supports the following:

kerberos_armoring_enabled - (Optional) Whether to enable Kerberos Armoring. Defaults to false.
kerberos_rc4_encryption_enabled - (Optional) Whether to enable Kerberos RC4 Encryption. Defaults to false.
ntlm_v1_enabled - (Optional) Whether to enable legacy NTLM v1 support. Defaults to false.
sync_kerberos_passwords - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to false.
sync_ntlm_passwords - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to false.
sync_on_prem_passwords - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to false.
tls_v1_enabled - (Optional) Whether to enable legacy TLS v1 support. Defaults to false.

‍

Associating resources with a

Active Directory

Resources do not "belong" to a

Active Directory

Rather, one or more Security Groups are associated to a resource.

Create

Active Directory

via Terraform:

The following HCL manages an Active Directory Domain Service

Syntax:

provider "azurerm" {
features {}
}

resource "azurerm_resource_group" "deploy" {
name = "example-resources"
location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
name = "deploy-vnet"
location = azurerm_resource_group.deploy.location
resource_group_name = azurerm_resource_group.deploy.name
address_space = ["10.0.1.0/16"]
}

resource "azurerm_subnet" "deploy" {
name = "deploy-subnet"
resource_group_name = azurerm_resource_group.deploy.name
virtual_network_name = azurerm_virtual_network.deploy.name
address_prefixes = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
name = "deploy-nsg"
location = azurerm_resource_group.deploy.location
resource_group_name = azurerm_resource_group.deploy.name

security_rule {
name = "AllowSyncWithAzureAD"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "AzureActiveDirectoryDomainServices"
destination_address_prefix = "*"
}

security_rule {
name = "AllowRD"
priority = 201
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "CorpNetSaw"
destination_address_prefix = "*"
}

security_rule {
name = "AllowPSRemoting"
priority = 301
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "5986"
source_address_prefix = "AzureActiveDirectoryDomainServices"
destination_address_prefix = "*"
}

security_rule {
name = "AllowLDAPS"
priority = 401
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "636"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
subnet_id = azurerm_subnet.deploy.id
network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azuread_group" "dc_admins" {
display_name = "AAD DC Administrators"
security_enabled = true
}

resource "azuread_user" "admin" {
user_principal_name = "dc-admin@hashicorp-example.com"
display_name = "DC Administrator"
password = "Pa55w0Rd!!1"
}

resource "azuread_group_member" "admin" {
group_object_id = azuread_group.dc_admins.object_id
member_object_id = azuread_user.admin.object_id
}

resource "azuread_service_principal" "example" {
application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_resource_group" "aadds" {
name = "aadds-rg"
location = "westeurope"
}

resource "azurerm_active_directory_domain_service" "example" {
name = "example-aadds"
location = azurerm_resource_group.aadds.location
resource_group_name = azurerm_resource_group.aadds.name

domain_name = "widgetslogin.net"
sku = "Enterprise"
filtered_sync_enabled = false

initial_replica_set {
subnet_id = azurerm_subnet.deploy.id
}

notifications {
additional_recipients = ["notifyA@example.net", "notifyB@example.org"]
notify_dc_admins = true
notify_global_admins = true
}

security {
sync_kerberos_passwords = true
sync_ntlm_passwords = true
sync_on_prem_passwords = true
}

tags = {
Environment = "prod"
}

depends_on = [
azuread_service_principal.example,
azurerm_subnet_network_security_group_association.deploy,
]
}

Create

Active Directory

via CLI:

Parameters:

az ad ds create --domain
--name
--replica-sets
--resource-group
[--domain-config-type {FullySynced, ResourceTrusting}]
[--external-access {Disabled, Enabled}]
[--filtered-sync {Disabled, Enabled}]
[--ldaps {Disabled, Enabled}]
[--no-wait]
[--notify-dc-admins {Disabled, Enabled}]
[--notify-global-admins {Disabled, Enabled}]
[--notify-others]
[--ntlm-v1 {Disabled, Enabled}]
[--pfx-cert]
[--pfx-cert-pwd]
[--resource-forest {Disabled, Enabled}]
[--settings]
[--sku {Enterprise, Premium, Standard}]
[--sync-kerberos-pwd {Disabled, Enabled}]
[--sync-ntlm-pwd {Disabled, Enabled}]
[--sync-on-prem-pwd {Disabled, Enabled}]
[--tags]
[--tls-v1 {Disabled, Enabled}]

Example:

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"

Costs

Direct Cost

Indirect Cost

No items found.

Best Practices for

Active Directory

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization