RADIUS services

[blouwagie]

1. One feature that should be in table named "features you may need for your organization" is RADIUS, that is a feature that many organisations need and is apparently still not supported with Azure AD DS or AAD. PLease this to the table to help us make the correct solution.
2. Custom OU structure. You indicate that is is possible in both. In my experience this is very limted in AD DS, please document accordingly.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9ff64a31-7310-b2e8-28ba-690790b9b00d
• Version Independent ID: bd83c309-bd2b-6211-8d86-6d9713822c2b
• Content: Compare Active Directory-based services in Azure
• Content Source: articles/active-directory-domain-services/compare-identity-solutions.md
• Service: active-directory
• Sub-service: domain-services
• GitHub Login: @iainfoulds
• Microsoft Alias: iainfou

[neeleshray-msft]

@blouwagie Thank you for your feedback. We will investigate and get back to you shortly.

[shashishailaj]

@iainfoulds Could you please review this request and see if this document can be updated accordingly?

[iainfoulds]

Thanks for the feedback, @blouwagie

For NPS, that's supported with Azure AD DS, and can also integrate with additional security controls such as Azure Multi-Factor Authentication - https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/34781713-support-nps-radius-for-azure-ad-domain-services. We have a document that's due to publish in the next week to show how to configure such a deployment. For Azure AD, it's not a supported scenario.

For custom OU structure, you're free to create whatever OU structure you'd like in Azure AD DS - https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-ou. It's not limited in terms of how you can create users and groups within Azure AD DS and assign them across OUs and apply group policy. You can't synchronize in your structure from an on-premises AD DS environment as Azure AD doesn't honor OU structure when you'd synchronize users and groups through Azure AD Connect. What do you feel is limited in Azure AD DS?

[blouwagie]

Hi @iainfoulds Thank you!

• I had to look up what NPS stands for: NPS performs authentication, authorization, and accounting for connection requests for the local domain and for domains that trust the local domain. https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server
• I look forward to seeing that document for AAD, this has been a major stumbling block, and I'm still confused what you say it is going to work for Azure DS but not for Azure AD. Do you mean that we will be able to get the RADIUS service configured as part of the Azure DS setup? Are you thus saying that https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-deploy will be document to how to set up with Azure DS instead on only being to do so with AD? That would be real and great progress.

On the custom OU, we are a cloud only customer,

• I discovered a dumb mistake of mine, but still others could be trapped by same. I was trying to create a user under the AADS Users OU, not thinking that it would work one level higher. That is where I really don't like that Microsoft hides menu options rather than showing them and giving a message why I can't use them in certain places, but I'm distracting myself. Thank you !
• The second problem is that we do not see Azure Domain Joined computers in Azure DS, only users, so we can't move them as they don't exist. When we create servers and join them the Azure DS services, those we see. Follow up question: If we stopped Azure Domain Joining PCs, I guess we could join them to the Azure DS domain, but would we lose some advanced Intune features?

Bart

[iainfoulds]

Okay, there's a lot of things going on here that aren't really docs-related :) @shashishailaj may be able to help set up an advisory support request to review some options, and the Microsoft Q&A discussions forum for Azure AD DS may also be able to help - https://docs.microsoft.com/answers/topics/azure-ad-domain-services.html

To try and address your main points:

• The Network Policy and Access Services feature in Windows Server provides a Network Policy Server (NPS) that can functionally act as a RADIUS server. RADIUS is a client/server protocol rather than a specific feature. As such, yes - NPS can configured with other services like Remote Desktop Services whereby you use identities stored in Azure AD DS when a user signs in. NPS is only supported with Azure AD DS, not directly with Azure AD.
• There's nothing different about the menu options or management of OUs in Azure AD DS other than where the users synchronized in from Azure AD are stored - "AADDC Users". As noted in the doc, those synchronized users can't be moved from that OU. The intent of a custom OU structure would be for users created directly within the Azure AD DS managed domain itself that you're wanting to manage.
• There's a difference between Azure AD-joined computers, and computers joined to the Azure AD DS managed domain. Azure AD-joined computers won't show in Azure AD DS - only users and groups are synchronized from Azure AD. There's no group policy management or similar functionality for Azure AD-joined computers within an Azure AD DS managed domain. Only computers directly joined to the Azure AD DS managed domain would create a computer object that can be managed. Again, it really comes down to what you're trying to accomplish here as to how you'd design and manage that OU structure for users and then joining/managing computers.

[blouwagie]

Thank you @iainfoulds and @shashishailaj, That is very informative and indeed not documentation related. As you say it all depends on "what one tries to accomplish". The bottom line is that we are a Azure AAD, cloud ONLY customers that did not exist 18 months ago and now have 2000+ healthcare workers using the system whilst we need to be NIST 800-53 compliant, something we are trying to do without having to revert to re-introducing VMs, Traditional AD, Servers. We mostly were successful with AAD, Azure Domain Joins, Intune but hit some hard snags on: 1) RADIUS/NPS for WiFi access, 2) Device Certificates, 3) VPN requirements without split tunnel, 4) GPO settings for devices (often missing an Intune Equivalent). Thus OUs for AAD users was in the end a minor issue. I have implemented this Azure/Office cloud only for one such organisation in 2018/2019 and we reached compliance be it with some gaps. There is now a second organisation that is Hybrid, who really would like to go cloud only as the Hybrid setup is problematic. That triggered my response to the document and I would appreciate further advise for sure. The current healtcare crisis also means I need to come up with pragmatic responses. Thank you Bart

[iainfoulds]

I'm not sure if @shashishailaj was able to help set up an advisory support request to review some of your options, or if you were able to ask about some of these design considerations on the Microsoft Q&A discussions forum for Azure AD DS may also be able to help - https://docs.microsoft.com/answers/topics/azure-ad-domain-services.html

It's not really going to provide support for what you need in this instance, but the new article I mentioned earlier on securing remote access to VMs published a couple of weeks ago - https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access

If anything changes from the product team on some of these scenarios, the relevant docs would be updated accordingly to show examples. For now, #please-close