Merge pull request #112480 from nicolehaugen/RemoveDomainJoin

Court72 · web-flow · commit 7a9cfcd4de20 · 2023-07-31T09:25:16.000-06:00
Remove scenarios that require domain joining
diff --git a/articles/lab-services/administrator-guide.md b/articles/lab-services/administrator-guide.md
@@ -202,6 +202,9 @@ To obtain lab VMs with unique SID, create a lab without a template VM.  You must
 
 If you plan to use an endpoint management tool or similar software, we recommend that you don't use template VMs for your labs.
 
+## Azure AD register/join, Hybrid Azure AD join, or AD domain join
+To make labs easy to set up and manage, Azure Lab Services is designed with *no* requirement to register/join lab VMs to either Active Directory (AD) or Azure Active Directory (Azure AD).  As a result, Azure Lab Services *doesn’t* currently offer built-in support to register/join lab VMs.  Although it's possible to Azure AD register/join, Hybrid Azure AD join, or AD domain join lab VMs using other mechanisms, we do *not* recommend that you attempt to register/join lab VMs to either AD or Azure AD due to product limitations.
+
 ## Pricing
 
 ### Azure Lab Services
diff --git a/articles/lab-services/concept-lab-services-supported-networking-scenarios.md b/articles/lab-services/concept-lab-services-supported-networking-scenarios.md
@@ -35,6 +35,7 @@ The following table lists common networking scenarios and topologies and their s
 | Use a connection broker, such as Parsec, for high-framerate gaming scenarios | Not recommended | This scenario isn’t directly supported with Azure Lab Services and would run into the same challenges as accessing lab VMs by private IP address. |
 | *Cyber field* scenario, consisting of a set of vulnerable VMs on the network for lab users to discover and hack into (ethical hacking)  | Yes | This scenario works with advanced networking for lab plans. Learn about the [ethical hacking class type](./class-type-ethical-hacking.md). |
 | Enable using Azure Bastion for lab VMs  | No | Azure Bastion isn't supported in Azure Lab Services. |
+| Set up line-of-sight to domain controller | Not recommended | Line-of-sight from a lab to a domain controller is required to Hybrid Azure AD join or AD domain join VMs; however, we currently do *not* recommend that lab VMs be Azure AD joined/registered, Hybrid Azure AD joined, or AD domain joined due to product limitations. |
 
 ## Next steps
 
diff --git a/articles/lab-services/how-to-attach-external-storage.md b/articles/lab-services/how-to-attach-external-storage.md
@@ -22,7 +22,6 @@ The following table lists important considerations for each external storage sol
 | -------------- | ------------------------ |
 | [Azure Files share with public endpoint](#azure-files-share) | <ul><li>Everyone has read/write access.</li><li>No virtual network peering is required.</li><li>Accessible to all VMs, not just lab VMs.</li><li>If you're using Linux, lab users have access to the storage account key.</li></ul> |
 | [Azure Files share with private endpoint](#azure-files-share) | <ul><li>Everyone has read/write access.</li><li>Virtual network peering is required.</li><li>Accessible only to VMs on the same network (or a peered network) as the storage account.</li><li>If you're using Linux, lab users have access to the storage account key.</li></ul> |
-| [Azure Files with identity-based authorization](#azure-files-with-identity-based-authorization) | <ul><li>Either read or read/write access permissions can be set for folder or file.</li><li>Virtual network peering is required.</li><li>Storage account must be connected to Active Directory.</li><li>Lab VMs must be domain-joined.</li><li>Storage account key isn't used for lab users to connect to the file share.</li></ul> |
 | [Azure NetApp Files with NFS volumes](#azure-netapp-files-with-nfs-volumes) | <ul><li>Either read or read/write access can be set for volumes.</li><li>Permissions are set by using a lab VM’s IP address.</li><li>Virtual network peering is required.</li><li>You might need to register to use the Azure NetApp Files service.</li><li>Linux only.</li></ul>
 
 The cost of using external storage isn't included in the cost of using Azure Lab Services.  For more information about pricing, see [Azure Files pricing](https://azure.microsoft.com/pricing/details/storage/files/) and [Azure NetApp Files pricing](https://azure.microsoft.com/pricing/details/netapp/).
@@ -135,62 +134,6 @@ Lab users should run `mount -a` to remount directories.
 
 For more general information, see [Use Azure Files with Linux](/azure/storage/files/storage-how-to-use-files-linux).
 
-## Azure Files with identity-based authorization
-
-Azure Files shares can also be accessed by using Active Directory authentication, if the following are both true:
-
-- The lab VM is domain-joined.
-- Active Directory authentication is [enabled on the Azure Storage account](/azure/storage/files/storage-files-active-directory-overview) that hosts the file share.  
-
-The network drive is mounted on the virtual machine by using the user’s identity, not the key to the storage account. Public or private endpoints provide access to the storage account.
-
-Keep in mind the following important points:
-
-- You can set permissions on a directory or file level.
-- You can use current user credentials to authenticate to the file share.
-
-For a public endpoint, the virtual network for the storage account doesn't have to be connected to the lab virtual network. You can create the file share anytime before the template VM is published.
-
-For a private endpoint:
-
-- Access is restricted to traffic originating from the private network, and can’t be accessed through the public internet. Only VMs in the private virtual network, VMs in a network peered to the private virtual network, or machines connected to a VPN for the private network, can access the file share.  
-- This approach requires the file share virtual network to be connected to the lab.  To enable advanced networking for labs, see [Connect to your virtual network in Azure Lab Services using vnet injection](how-to-connect-vnet-injection.md).  VNet injection must be done during lab plan creation.
-
-To create an Azure Files share that's enabled for Active Directory authentication, and to domain-join the lab VMs, follow these steps:
-
-1. Create an [Azure Storage account](/azure/storage/files/storage-how-to-create-file-share).
-1. If you've chosen the private method, create a [private endpoint](/azure/private-link/tutorial-private-endpoint-storage-portal) in order for the file shares to be accessible from the virtual network. Create a [private DNS zone](/azure/dns/private-dns-privatednszone), or use an existing one. Private Azure DNS zones provide name resolution within a virtual network.
-1. Create an [Azure file share](/azure/storage/files/storage-how-to-create-file-share).
-1. Follow the steps to enable identity-based authorization. If you're using Active Directory on-premises, and you're synchronizing it with Azure Active Directory (Azure AD), see [On-premises Active Directory Domain Services authentication over SMB for Azure file shares](/azure/storage/files/storage-files-identity-auth-active-directory-enable). If you're using only  Azure AD, see [Enable Azure Active Directory Domain Services authentication on Azure Files](/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable).
-    >[!IMPORTANT]
-    >Talk to the team that manages your Active Directory instance to verify that all prerequisites listed in the instructions are met.
-1. Assign SMB share permission roles in Azure. For details about permissions that are granted to each role, see [share-level permissions](/azure/storage/files/storage-files-identity-ad-ds-assign-permissions).
-    - **Storage File Data SMB Share Elevated Contributor** role must be assigned to the person or group that grants permissions for contents of the file share.
-    - **Storage File Data SMB Share Contributor** role should be assigned to lab users who need to add or edit files on the file share.
-    - **Storage File Data SMB Share Reader** role should be assigned to lab users who only need to read the files from the file share.
-
-1. Set up directory-level and/or file-level permissions for the file share. You must set up permissions from a domain-joined machine that has network access to the file share. To modify directory-level and/or file-level permissions, mount the file share by using the storage key, not your Azure AD credentials. To assign permissions, use the [Set-Acl](/powershell/module/microsoft.powershell.security/set-acl) PowerShell command, or [icacls](/windows-server/administration/windows-commands/icacls) in Windows.
-1. [Connect to your virtual network in Azure Lab Services](how-to-connect-vnet-injection.md).
-1. [Create the lab](how-to-manage-labs.md).
-1. Save a script on the template VM that lab users can run to connect to the network drive:
-    1. Open the storage account in the Azure portal.
-    1. Under **File Service**, select **File Shares**.
-    1. Find the share that you want to connect to, select the ellipses button on the far right, and choose **Connect**.
-    1. The page shows instructions for Windows, Linux, and macOS. If you're using Windows, set **Authentication method** to **Active Directory**.
-    1. Copy the code in the example, and save it on the template machine in a `.ps1` file for Windows, or an `.sh` file for Linux.
-
-1. On the template machine, download and run the script to [join lab user machines to the domain](https://aka.ms/azlabs/scripts/ActiveDirectoryJoin).
-
-    The `Join-AzLabADTemplate` script [publishes the template VM](how-to-create-manage-template.md#publish-the-template-vm) automatically.
-
-    > [!NOTE]
-    > The template machine isn't domain-joined. To view files on the share, educators need to use a lab VM for themselves.
-
-1. Connect to the Azure Files share from the lab VM.
-
-    - Lab users on Windows can connect to the Azure Files share by using [File Explorer](/azure/storage/files/storage-how-to-use-files-windows) with their credentials, after they've been given the path to the file share. Alternately, lab users can run the script you saved earlier to connect to the network drive.
-    - For lab users who are using Linux, run the script you saved previously to connect to the network drive.
-
 ## Azure NetApp Files with NFS volumes
 
 [Azure NetApp Files](https://azure.microsoft.com/services/netapp/) is an enterprise-class, high-performance, metered file storage service.
diff --git a/articles/lab-services/how-to-prepare-windows-template.md b/articles/lab-services/how-to-prepare-windows-template.md
@@ -98,18 +98,6 @@ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
     -Name "FilesOnDemandEnabled" -Value "00000001" -PropertyType DWORD
 ```
 
-### Silently sign in users to OneDrive
-
-You can configure OneDrive to automatically sign in with the Windows credentials of the logged on lab user.  Automatic sign-in is useful for scenarios where lab users signs in with their organizational account.
-
-Use the following PowerShell script to enable automatic sign-in:
-
-```powershell
-New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
-New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
-    -Name "SilentAccountConfig" -Value "00000001" -PropertyType DWORD
-```
-
 ### Disable the OneDrive tutorial
 
 By default, after you finish the OneDrive setup, a tutorial is launched in the browser. Use the following script to disable the tutorial from showing:
@@ -122,7 +110,7 @@ New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive"
 
 ### Set the maximum download size of a user's OneDrive
 
-To prevent that OneDrive automatically uses a large amount of disk space on the lab virtual machine when syncing files, you can configure a maximum size threshold. When a lab user has a OneDrive that's larger than the threshold (in MB), the user receives a prompt to choose which folders they want to sync before the OneDrive sync client (OneDrive.exe) downloads the files to the machine. This setting is used in combination with [automatic sign-in of users to OneDrive](#silently-sign-in-users-to-onedrive) and where [on-demand files](#use-onedrive-files-on-demand) isn't enabled.
+To prevent that OneDrive automatically uses a large amount of disk space on the lab virtual machine when syncing files, you can configure a maximum size threshold. When a lab user has a OneDrive that's larger than the threshold (in MB), the user receives a prompt to choose which folders they want to sync before the OneDrive sync client (OneDrive.exe) downloads the files to the machine. This setting is used where [on-demand files](#use-onedrive-files-on-demand) isn't enabled.
 
 Use the following PowerShell script to set the maximum size threshold. In our example, `1111-2222-3333-4444` is the organization ID and `0005000` sets a threshold of 5 GB.
 
