Introduction

This blog post explores an advanced method to automatically join Azure Virtual Machines (VMs) to Active Directory using Azure Active Directory Domain Services (Azure AD DS) and Azure Automation. This approach provides a secure, scalable, and efficient alternative to traditional, manual methods.

Azure VM Domain Integration

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Benefits

  • Enhanced Security: This method effectively mitigates the standard security concerns associated with hard-coded credentials. It establishes a more robust security posture by automating sensitive processes and leveraging Azure’s built-in security features.
  • Greater Scalability: The approach is designed to fit the scalability needs of growing businesses. It can be effortlessly applied across a fleet of VMs, making it an ideal solution for enterprises expanding their cloud footprint
  • Streamlined Automation: This process significantly reduces manual input, saving valuable time and substantially lowering the risk of human error. Automated workflows ensure consistent and repeatable processes across the board
  • Adaptable Flexibility: The solution provides the flexibility to accommodate a wide array of VM configurations, making it adaptable to various operational requirements and scenarios within Azure

Requirements

  • Azure Subscription: An active Azure subscription is the fundamental requirement to access Azure services and resources necessary for the automation process
  • Microsoft Entra Domain Services: This updated service provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication fully integrated with your Azure environment
  • Configured Azure VMs: You will need one or more Azure VMs set up and ready to be integrated with the domain services
  • Azure Automation Account: An Azure Automation account is crucial to create, store, and manage the automation runbooks that will handle the domain join process

Detailed Steps

Step 1: Configuring Microsoft Entra Domain Services

  • Activate Azure AD DS
    • Set up Azure AD DS via the Azure portal with your desired settings

Azure VM Domain Integration

  • Check Network Configuration
    • Ensure the VMs can connect to the network where Azure AD DS is active by checking network settings and testing connectivity.

Azure VM Domain Integration

Step 2: Setting Up Azure Automation

  • Create an Azure Automation Account
    • Search for ‘Automation’ in the Azure portal
    • Click ‘Create Automation Account’ and fill in the details such as name, subscription, resource group, and location

      Azure VM Domain Integration

      Download Banner
    • Click ‘Create’ to set up the account

Step 3: Configuring Managed Service Identity (MSI) or Service Principal

  • Set Up Service Principal and Assign Rights
    • Install Azure Powershell

      • Install-Module -Name Az -AllowClobber -Scope CurrentUser

    • Connect to your Azure Account

      • Connect-AzAccount

    • Create a Service Principal

      • $servicePrincipal = New-AzADServicePrincipal -DisplayName “YourServicePrincipalName”

    • Assign “Contributor” Role to the Service Principal for the VM

      • $vmResourceId = (Get-AzVM -Name “YourVMName” -ResourceGroupName “YourResourceGroupName”).Id
      New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName ‘Contributor’ -Scope $vmResourceId

    • Grant Service Principal to Azure Automation Runbook

      • $automationAccountId = (Get-AzAutomationAccount -Name “YourAutomationAccountName” -ResourceGroupName “YourResourceGroupName”).AutomationAccountId
      New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName ‘Contributor’ -Scope $automationAccountId

    • Verify Permissions

      Get-AzRoleAssignment -ObjectId $servicePrincipal.Id

      By completing these steps, you should have successfully created a Service Principal and assigned the necessary roles to interact with VMs and Azure Automation without manual intervention.

      Please make sure to replace “YourServicePrincipalName”, “YourVMName”, “YourResourceGroupName”, and “YourAutomationAccountName” with your actual resource names. Also, be aware that managing roles and permissions should be done cautiously and following your organization’s security policies.

      Step 4: Preparing the PowerShell Script

      • Write the PowerShell Script
      • Use the following script as a base:

      $domain = ‘yourdomain.com’
      $credential = Get-AutomationPSCredential -Name ‘DomainJoinCredential’
      Add-Computer -DomainName $domain -Credential $credential
      Restart-Computer

      (This script retrieves domain details and adds the VM to the domain, followed by a restart)

      • Add the Script to the Runbook
      • Open the Runbook in Azure Automation

        • Azure VM Domain Integration

      • Paste the script into the editor and publish the runbook

    Step 5: Executing the Runbook

    • Start the Runbook
      • Navigate to ‘Runbooks’ in Azure Automation
        Azure VM Domain Integration

      • Select the created Runbook and click ‘Start’ to execute it
        Azure VM Domain Integration

      • Enter any required parameters
      • Monitoring and Troubleshooting
      • Track Runbook Jobs: Regularly check the ‘Jobs’ section in Azure Automation to monitor the status and health of your Runbook executions
      • Examine Job Outputs: Click on specific jobs to view detailed outputs and error logs, which can help you understand the success or failure of the automation tasks
      • Error Analysis: Review error messages and stack traces to troubleshoot and resolve issues that may have caused job failures
      • Use the Test Pane: Utilize the Test Pane in the Runbook editor for debugging before full deployment, allowing you to catch and fix issues early
      • Configure Alerts: Set alerts for job failures or long execution times to respond to potential problems quickly
      • Retry Logic and Automated Remediation: Implement retry mechanisms in your scripts and, where possible, automated fixes for known issues to enhance reliability
      • Maintain Documentation: Keep a record of troubleshooting steps for common issues, which can expedite future problem-solving efforts

    Conclusion

    This automation approach for adding Azure VMs to Active Directory using Azure AD DS and Azure Automation marks a significant leap in efficient cloud resource management. Leveraging Azure AD DS eliminates complex traditional domain controller setups, while Azure Automation streamlines deployment. The use of Service Principal for authentication enhances security by controlling access and maintaining audit trails. This method saves time and reduces potential human errors, which is crucial for system integrity. The flexibility of the PowerShell script allows for customization according to specific needs, and Azure Automation’s monitoring capabilities add operational efficacy. This solution offers a secure, efficient, and scalable way to integrate VMs with Active Directory, meeting modern IT infrastructure demands.

    Related Posts:

    Microsoft Azure for Beginners: Azure DevOps and Azure -The Perfect Match for CI/CD: Part 39

    Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

    Rate this post