2.5.3. 💡 First Principle: Microsoft Entra Domain Services

First Principle: Microsoft Entra Domain Services provides managed domain services—such as domain join, group policy, LDAP, and Kerberos/NTLM authentication—without requiring you to deploy, manage, or patch domain controllers. Its core purpose is to enable legacy applications that depend on traditional Active Directory to run in Azure without complex infrastructure.

Many enterprise applications were built decades ago to rely on Active Directory's domain services. Migrating these applications to the cloud would typically require either running domain controllers in Azure (adding management overhead) or re-architecting the application (costly and risky). Entra Domain Services solves this by providing a fully managed domain that's synchronized with Microsoft Entra ID.

Key Concepts:

• Managed domain: Microsoft deploys and manages the domain controllers—you don't need to maintain VMs or apply patches.
• Sync with Entra ID: Users and groups are synchronized from your Entra ID tenant, enabling single sign-on across cloud and legacy apps.
• Supports legacy protocols: LDAP, Kerberos, NTLM, and Group Policy work just like traditional AD DS.
• Not a replacement for on-premises AD DS: It's a complement for cloud workloads, not a full domain controller replacement.

Scenario: A company is migrating a legacy line-of-business application to Azure VMs. This application requires domain-joined servers and uses LDAP queries for authentication. They don't want to deploy and manage their own domain controllers in Azure.

Reflection Question: How does Microsoft Entra Domain Services enable this "lift-and-shift" migration without requiring the company to manage domain controller infrastructure in the cloud?

💡 Tip: Remember: Microsoft Entra ID = modern cloud identity (OAuth, SAML, OIDC). Microsoft Entra Domain Services = managed traditional domain services (LDAP, Kerberos, domain join) for legacy apps.