Seamless Integration of Multiple Domains with Azure Virtual Desktop: Sync Users from On-Premises AD DS to Microsoft Entra ID

As organizations increasingly adopt Azure Virtual Desktop (AVD) to enhance remote work capabilities, the need for flexible and scalable solutions becomes paramount. One common challenge is the integration of environments with multiple on-premises Active Directory (AD) forests. This blog aims to guide you through the process of integrating multiple domains with Azure Virtual Desktop using Microsoft Entra Connect.

By leveraging Microsoft Entra Connect, you can sync users from your on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID (formerly Azure AD), creating a seamless connection between on-premises environments and the cloud. This approach expands on the architecture outlined in the Azure Virtual Desktop at enterprise scale article, offering a deeper dive into multi-domain setups.

🛠️ Dataflow

In this architecture, the identity flow works as follows:

1. 🔄 Microsoft Entra Connect syncs users from both CompanyA.com and CompanyB.com to a Microsoft Entra tenant (NewCompanyAB.onmicrosoft.com).
2. 🏢 Host pools, workspaces, and app groups are created in separate subscriptions and spoke virtual networks.
3. 👥 Users are assigned to the app groups.
4. 🖥️ Azure Virtual Desktop session hosts in the host pools join the domains CompanyA.com and CompanyB.com by using the domain controllers (DCs) in Azure.
5. 🔐 Users sign in by using either the Azure Virtual Desktop application or the web client with a User Principal Name (UPN) in the following format: user@NewCompanyA.com,user@CompanyB.com, or user@NewCompanyAB.com, depending on their configured UPN suffix.
6. 🖼️ Users are presented with their respective virtual desktops or applications. For example, users in CompanyA are presented with a virtual desktop or application in Workspace A, host pool 1 or 2.
7. 📂 FSLogix user profiles are created in Azure Files shares on the corresponding storage accounts.
8. 📜 Group Policy Objects (GPOs) that are synced from on-premises are applied to users and Azure Virtual Desktop session hosts.

📝 Scenario Overview

This architecture diagram represents a typical setup with a few key elements:

• The Microsoft Entra tenant is set up for the new company NewCompanyAB.onmicrosoft.com.
• Microsoft Entra Connect syncs users from on-premises Active Directory Domain Services (AD DS) to Microsoft Entra ID.
• Both Company A and Company B have their own Azure subscriptions, and they share a third subscription, referred to as Subscription 1.
• We’ve implemented an Azure hub-spoke architecture, with a shared services hub virtual network.
• The environment includes complex, hybrid on-premises Active Directory forests with multiple domains, each having a different UPN suffix:
  • CompanyA.local uses CompanyA.com.
  • CompanyB.local uses CompanyB.com.
  • We’ve also added a new UPN suffix, NewCompanyAB.com.
• Domain controllers for both forests are located both on-premises and in Azure.
• Verified domains are set up in Azure for CompanyA.com, CompanyB.com, and NewCompanyAB.com.
• We continue using Group Policy Objects (GPO) and legacy authentication methods like Kerberos, NTLM, and LDAP.
• For environments still dependent on on-prem infrastructure, private connectivity (like Site-to-Site VPN or Azure ExpressRoute) is configured between on-premises and Azure.
• The Azure Virtual Desktop (AVD) environment includes a separate workspace for each business unit, with two host pools per workspace.
• AVD session hosts are joined to the appropriate domain controllers in Azure, based on the company:
  • CompanyA session hosts join CompanyA.local.
  • CompanyB session hosts join CompanyB.local.
• For user profiles, we use Azure Files with FSLogix, with one storage account per company domain (e.g., CompanyA.local and CompanyB.local), and each account is joined to its respective domain.

💡 Potential Use Cases

Here are a few relevant use cases for this architecture:

• Mergers and Acquisitions: When companies merge, acquire, or rebrand, multiple on-premises identities can be integrated seamlessly.
• Complex Active Directory Environments: Useful for organizations dealing with multi-forest, multi-domain AD environments, GPO requirements, and legacy authentication systems.
• Hybrid GPO and Azure Virtual Desktop: Suitable for businesses using on-premises GPO infrastructure while adopting Azure Virtual Desktop.

How Microsoft Entra Connect Facilitates the Integration

Microsoft Entra Connect is a powerful tool that enables the synchronization of user identities between on-premises AD DS and Microsoft Entra ID. In multi-domain scenarios, Entra Connect allows organizations to integrate multiple AD forests into a single cloud-based identity platform.

Key benefits of using Microsoft Entra Connect for this integration include:

• Automated Synchronization: Entra Connect syncs user data automatically, ensuring up-to-date information across environments.
• Multi-Forest Support: It supports integration across multiple AD forests, simplifying identity management for complex setups.
• Hybrid Identity: By syncing users to Microsoft Entra ID, you enable hybrid identity, allowing for a smooth transition to the cloud while still maintaining on-premises infrastructure where needed.

For organizations looking to streamline the integration of multiple domains with Azure Virtual Desktop, Microsoft Entra Connect provides a reliable and scalable solution. It simplifies user synchronization, centralizes identity management, and ensures a seamless experience for both administrators and end-users.

Anuradha Samaranayake