Azure Active Directory Domain Services
(Azure AD DS)
Join Azure virtual machines to a domain without domain controllers
Save costs and operate more efficiently with managed domain services
Azure Active Directory Domain Services (Azure AD DS), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
Access to managed domain services such as Windows Domain Join, group policy, LDAP, and Kerberos authentication
Ability to join Azure virtual machines to a managed domain without domain controllers
Simple sign-in to apps connected to your managed domain with Azure AD credentials
Lift-and-shift migration of legacy applications from your on-premises environment to a managed domain
Increase operational efficiency
Enable managed domain services for virtual machines and directory-aware applications deployed in Azure with a click of a button. Reduce operational and maintenance costs associated with managing identity infrastructure for your virtual machines and legacy applications.
Run legacy applications in the cloud
Easily migrate on-premises apps to a managed domain. Streamline management of all applications from your legacy, directory-aware apps alongside your modern cloud apps with a single identity solution.
Rely on a managed, highly available service
Azure AD Domain Services includes multiple domain controllers to provide high availability for your managed domain. Ensure business continuity with guaranteed service uptime and resilience to failures.
Unify your identity infrastructure management
Simplify the experience of managing and securing your entire identity infrastructure including Azure AD DS with the Microsoft Entra admin centre.
Comprehensive security and compliance, built in
Microsoft invests more than USD 1 billion annually on cybersecurity research and development.
We employ more than 3,500 security experts dedicated to data security and privacy.
Azure has more certifications than any other cloud provider. View the comprehensive list.
Pricing for Azure Active Directory Domain Services
Azure AD DS offers built-in conditional access and security threat intelligence for all your users. Usage is charged per hour, based on the SKU selected by the tenant owner. Explore pricing options to find the version that fits your needs.
Get started with an Azure free account
Start free. Get $200 credit to use in 30 days. While you have your credit, get free amounts of many of our most popular services, plus free amounts of 40+ other services.
After your credit, move to pay as you go to keep building with the same free services. Only pay if you use more than the free monthly amounts.
After 12 months, you'll continue getting 40+ always-free services—and still only pay for what you use beyond your free monthly amounts.
Azure AD Domain Services resources and documentation
How-to guidesLearn how to configure scoped synchronisation from Azure AD to Azure AD DS in the Azure portal
Code samplesFind code samples to jumpstart your deployment
Identity services documentationCompare self-managed Active Directory DS, Azure AD, and managed Azure AD DS
Frequently asked questions about Azure AD DS
Azure AD DS is a part of Microsoft Entra, the new product family for multicloud identity and access solutions.
No. You can create a single managed domain serviced by Azure AD Domain Services for a single Azure AD directory.
Yes. Azure AD Domain Services can be enabled in an Azure Resource Manager virtual network. Classic Azure virtual networks are no longer available when you create a managed domain.
No. Guest users invited to your Azure AD directory using the Azure AD B2B invite process are synchronised to your Azure AD Domain Services managed domain. However, as passwords for these users aren't stored in your Azure AD directory, Azure AD Domain Services has no way to synchronize NTLM and Kerberos hashes for these users to your managed domain, so they can't sign in or join computers to the managed domain.
Yes. Each Azure AD Domain Services managed domain includes two domain controllers. You don't manage or connect to these domain controllers—they're part of the managed service. If you deploy Azure AD Domain Services into a region that supports availability zones, the domain controllers are distributed across zones. In regions that don't support availability zones, the domain controllers are distributed across availability sets. Learn more about availability options for virtual machines in Azure.
Changes made in your Azure AD directory using either the Azure AD UI or PowerShell are automatically synchronised to your managed domain. This synchronisation process runs in the background. There's no defined time period for this synchronisation to complete all the object changes.
No. Once you've enabled an Azure AD Domain Services managed domain, the service is available within your selected virtual network until you delete the managed domain. There's no way to pause the service. Billing continues on an hourly basis until you delete the managed domain.