AVD Deployment - Identity Join Options
β
Whatβs Been Updated
Your AVD deployment now supports BOTH Azure AD Join (cloud-native) and Active Directory Domain Services Join (traditional AD).
π― Quick Answer to Your Question
βAre these VMs cloud joined or DC joined?β
Answer: You can choose!
- Default: Azure AD Join (cloud-native) βοΈ
- Optional: Active Directory Domain Services Join (traditional AD) π’
- Configurable in both Terraform and ARM deployments
π¦ Files Updated on GitHub
1. azuredeploy.json β
Updated
ARM template with full domain join support:
- New parameters:
domainJoinOption, domainFqdn, domainJoinUsername, domainJoinPassword, ouPath
- Conditional VM extensions based on join type
- Defaults to Azure AD join
2. createUiDefinition.json β
Updated
Azure Portal wizard with new Identity Configuration step:
- Radio button to choose between Azure AD and Domain Services
- Conditional fields for domain credentials (only shown when Domain Services selected)
- Warning messages about network/DNS requirements
- Benefits info for each option
π How to Use
Option 1: Azure AD Join (Recommended)
# terraform.tfvars
domain_join_option = "AzureAD"
# No additional config needed!
ARM Template / Deploy to Azure:
- Click βDeploy to Azureβ button
- Step 1: Choose βAzure AD Join (Recommended)β
- Complete remaining steps
Requirements:
- Azure AD tenant
- Users sign in with Azure AD credentials (user@domain.com)
Benefits:
- β
Cloud-native identity
- β
Conditional Access support
- β
Windows Hello for Business
- β
Self-service password reset
- β
No on-premises infrastructure
Option 2: Active Directory Domain Services Join
# terraform.tfvars
domain_join_option = "DomainServices"
domain_fqdn = "contoso.com"
domain_join_username = "domainadmin"
domain_join_password = "SecurePassword123!" # Use Key Vault or env variable
domain_ou_path = "OU=AVD,DC=contoso,DC=com" # Optional
# IMPORTANT: Use existing VNet with DC connectivity
use_existing_vnet = true
existing_vnet_name = "hub-vnet"
existing_vnet_resource_group = "network-rg"
create_new_subnet = false
existing_subnet_name = "avd-subnet"
ARM Template / Deploy to Azure:
- Click βDeploy to Azureβ button
- Step 1: Choose βActive Directory Domain Services Joinβ
- Fill in domain FQDN, username, password, OU path (optional)
- Step 2: Select existing VNet with DC connectivity
- Complete remaining steps
Requirements:
- Active Directory Domain Services (on-premises or Azure AD DS)
- Network connectivity to domain controllers (VPN/ExpressRoute)
- DNS configured to resolve domain names
- Domain account with computer join permissions
Benefits:
- β
Legacy app support requiring AD authentication
- β
Group Policy management
- β
Traditional AD group-based access
- β
Integration with existing on-prem infrastructure
π Comparison Table
| Feature |
Azure AD Join |
Domain Services Join |
| Infrastructure |
Cloud-only βοΈ |
Requires DCs π’ |
| Network |
Minimal |
DC Connectivity Required |
| Conditional Access |
β
Full Support |
β οΈ Limited |
| Group Policy |
β οΈ Limited (Intune) |
β
Full Support |
| Legacy Apps |
β οΈ Limited |
β
Full Support |
| Management |
β
Simple |
β οΈ More Complex |
| Cost |
β
Lower |
β οΈ Higher (Network, DCs) |
| Best For |
Modern, cloud-first |
Legacy apps, Group Policy |
π§ Technical Details
What Gets Deployed (Azure AD Join):
- VMs are created
- AADLoginForWindows extension installed
- DSC extension joins VMs to host pool with
aadJoin: true
- Users authenticate with Azure AD
What Gets Deployed (Domain Services Join):
- VMs are created
- JsonADDomainExtension installed with domain credentials
- VMs join the specified domain (with optional OU placement)
- DSC extension joins VMs to host pool with
aadJoin: false
- Users authenticate with AD domain credentials
β οΈ Important Notes
For Domain Services Join:
- DNS Configuration: VNet DNS must point to domain controllers
az network vnet update --name hub-vnet --resource-group network-rg \
--dns-servers 10.0.0.4 10.0.0.5
- Network Connectivity: VNet needs connectivity to DCs via:
- Azure VPN Gateway
- ExpressRoute
- VNet peering to hub with DCs
- Domain controllers in Azure
- Security: Store domain credentials securely:
- Use Azure Key Vault
- Use environment variables
- Never commit passwords to source control
π What This Means for You
- Flexibility: Choose the right identity solution for your needs
- Cloud-First Default: Azure AD join by default for modern scenarios
- Hybrid Support: Domain Services join for legacy/hybrid environments
- Easy Deployment: Both options available in Terraform AND ARM templates
- Wizard Support: Deploy to Azure button has full domain join configuration
π Documentation Updated
- β
README.md: Added full identity section with examples
- β
terraform.tfvars.example: Added domain join configuration examples
- β
ARM Template: Supports both join types
- β
UI Definition: Wizard with identity configuration step
π¦ Status
All files uploaded to GitHub: https://github.com/travishankins/azure-avd-terraform-accelerator
Ready to deploy! π―