|
1 | 1 | --- |
2 | 2 | title: Azure AD Domain Services for Cloud Solution Providers | Microsoft Docs |
3 | | -description: Azure Active Directory Domain Services for Azure Cloud Solution Providers. |
| 3 | +description: Learn how to enable and manage Azure Active Directory Domain Services manager domains for Azure Cloud Solution Providers |
4 | 4 | services: active-directory-ds |
5 | | -documentationcenter: '' |
6 | 5 | author: iainfoulds |
7 | | -manager: mahesh-unnikrishnan |
8 | | -editor: curtand |
9 | 6 |
|
10 | 7 | ms.assetid: 56ccb219-11b2-4e43-9f07-5a76e3cd8da8 |
11 | 8 | ms.service: active-directory |
12 | 9 | ms.subservice: domain-services |
13 | 10 | ms.workload: identity |
14 | | -ms.tgt_pltfrm: na |
15 | | -ms.devlang: na |
16 | 11 | ms.topic: conceptual |
17 | | -ms.date: 12/08/2017 |
| 12 | +ms.date: 03/31/2020 |
18 | 13 | ms.author: iainfou |
19 | | ---- |
20 | 14 |
|
21 | | -# Azure Active Directory (AD) Domain Services for Azure Cloud Solution Providers (CSP) |
22 | | -This article explains how you can use Azure AD Domain Services in an Azure CSP subscription. |
| 15 | +--- |
| 16 | +# Azure Active Directory Domain Services deployment and management for Azure Cloud Solution Providers |
23 | 17 |
|
24 | | -## Overview of Azure CSP |
25 | | -Azure CSP is a program for Microsoft Partners and provides a license channel for various Microsoft cloud services. Azure CSP enables partners to manage sales, own the billing relationship, provide technical and billing support, and be the customer's single point of contact. In addition, Azure CSP provides a full set of tools, including a self-service portal and accompanying APIs. These tools enable CSP partners to easily provision and manage Azure resources, and provide billing for customers and their subscriptions. |
| 18 | +Azure Cloud Solution Providers (CSP) is a program for Microsoft Partners and provides a license channel for various Microsoft cloud services. Azure CSP enables partners to manage sales, own the billing relationship, provide technical and billing support, and be the customer's single point of contact. In addition, Azure CSP provides a full set of tools, including a self-service portal and accompanying APIs. These tools enable CSP partners to easily provision and manage Azure resources, and provide billing for customers and their subscriptions. |
26 | 19 |
|
27 | | -The [Partner Center portal](https://docs.microsoft.com/azure/cloud-solution-provider/overview/partner-center-overview) acts as an entry point for all Azure CSP partners. It provides rich customer management capabilities, automated processing, and more. Azure CSP partners can use Partner Center capabilities by using a web-based UI or by using PowerShell and various API calls. |
| 20 | +The [Partner Center portal](https://docs.microsoft.com/azure/cloud-solution-provider/overview/partner-center-overview) is the entry point for all Azure CSP partners, and provides rich customer management capabilities, automated processing, and more. Azure CSP partners can use Partner Center capabilities by using a web-based UI or by using PowerShell and various API calls. |
28 | 21 |
|
29 | | -The following diagram illustrates how the CSP model works at a high level. Contoso has an Azure AD Active Directory. They have a partnership with a CSP, who deploys and manages resources in their Azure CSP subscription. Contoso may also have regular (direct) Azure subscriptions, which are billed directly to Contoso. |
| 22 | +The following diagram illustrates how the CSP model works at a high level. Here, Contoso has an Azure Active Directory (Azure AD) tenant. They have a partnership with a CSP, who deploys and manages resources in their Azure CSP subscription. Contoso may also have regular (direct) Azure subscriptions, which are billed directly to Contoso. |
30 | 23 |
|
31 | 24 |  |
32 | 25 |
|
33 | | -The CSP partner's tenant has three special agent groups - Admin agents, Helpdesk agents, and Sales agents. The Admin agents group is assigned to the tenant administrator role in Contoso's Azure AD directory. As a result, a user belonging to the CSP partner's admin agents group has tenant admin privileges in Contoso's Azure AD directory. When the CSP partner provisions an Azure CSP subscription for Contoso, their admin agents group is assigned to the owner role for that subscription. As a result, the CSP partner's admin agents have the required privileges to provision Azure resources such as virtual machines, virtual networks, and Azure AD Domain Services on behalf of Contoso. |
| 26 | +The CSP partner's tenant has three special agent groups - *Admin* agents, *Helpdesk* agents, and *Sales* agents. |
| 27 | + |
| 28 | +The *Admin* agents group is assigned to the tenant administrator role in Contoso's Azure AD tenant. As a result, a user belonging to the CSP partner's admin agents group has tenant admin privileges in Contoso's Azure AD tenant. |
| 29 | + |
| 30 | +When the CSP partner provisions an Azure CSP subscription for Contoso, their admin agents group is assigned to the owner role for that subscription. As a result, the CSP partner's admin agents have the required privileges to provision Azure resources such as virtual machines, virtual networks, and Azure AD Domain Services on behalf of Contoso. |
34 | 31 |
|
35 | 32 | For more information, see the [Azure CSP overview](https://docs.microsoft.com/azure/cloud-solution-provider/overview/azure-csp-overview) |
36 | 33 |
|
37 | | -## Benefits of using Azure AD Domain Services in an Azure CSP subscription |
38 | | -Azure AD Domain Services provides Windows Server AD compatible services in Azure such as LDAP, Kerberos/NTLM authentication, domain join, group policy, and DNS. Over the decades, many applications have been built to work against AD using these capabilities. Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. These applications are onerous to support since that often requires access to the different environments in which these applications are deployed. With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure. |
| 34 | +## Benefits of using Azure AD DS in an Azure CSP subscription |
39 | 35 |
|
40 | | -Azure AD Domain Services now supports Azure CSP subscriptions. You can now deploy your application in an Azure CSP subscription tied to your customer's Azure AD directory. As a result, your employees (support staff) can manage, administer, and service the virtual machines on which your application is deployed using your organization's corporate credentials. Further, you can provision an Azure AD Domain Services managed domain for your customer's Azure AD directory. Your application is connected to your customer's managed domain. Therefore, capabilities within your application that rely on Kerberos/NTLM, LDAP, or the [System.DirectoryServices API](/dotnet/api/system.directoryservices) work seamlessly against your customer's directory. Your end customers benefit greatly from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on. |
| 36 | +Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory Domain Services. Over the decades, many applications have been built to work against AD using these capabilities. Many independent software vendors (ISVs) have built and deployed applications at their customers' premises. These applications are hard to support since you often need require access to the different environments where the applications are deployed. With Azure CSP subscriptions, you have a simpler alternative with the scale and flexibility of Azure. |
41 | 37 |
|
42 | | -All billing for Azure resources you consume in that subscription, including Azure AD Domain Services, is charged back to you. You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed. |
| 38 | +Azure AD DS supports Azure CSP subscriptions. You can deploy your application in an Azure CSP subscription tied to your customer's Azure AD tenant. As a result, your employees (support staff) can manage, administer, and service the VMs on which your application is deployed using your organization's corporate credentials. |
43 | 39 |
|
| 40 | +You can also deply an Azure AD DS managed domain in your customer's Azure AD tenant. Your application is then connected to your customer's managed domain. Capabilities within your application that rely on Kerberos / NTLM, LDAP, or the [System.DirectoryServices API](/dotnet/api/system.directoryservices) work seamlessly against your customer's domain. End customers benefit from consuming your application as a service, without needing to worry about maintaining the infrastructure the application is deployed on. |
44 | 41 |
|
45 | | -## CSP deployment models for Azure AD Domain services |
46 | | -There are two ways in which you can use Azure AD Domain Services with an Azure CSP subscription. Pick the right one based on the security and simplicity considerations your customers have. |
| 42 | +All billing for Azure resources you consume in that subscription, including Azure AD DS, is charged back to you. You maintain full control over the relationship with the customer when it comes to sales, billing, technical support etc. With the flexibility of the Azure CSP platform, a small team of support agents can service many such customers who have instances of your application deployed. |
| 43 | + |
| 44 | +## CSP deployment models for Azure AD DS |
| 45 | + |
| 46 | +There are two ways in which you can use Azure AD DS with an Azure CSP subscription. Pick the right one based on the security and simplicity considerations your customers have. |
47 | 47 |
|
48 | 48 | ### Direct deployment model |
49 | | -In this deployment model, Azure AD Domain Services is enabled within a virtual network belonging to the Azure CSP subscription. The CSP partner's admin agents have the following privileges: |
50 | | -* Global administrator privileges in the customer's Azure AD directory. |
51 | | -* Subscription owner privileges on the Azure CSP subscription. |
52 | 49 |
|
53 | | - |
| 50 | +In this deployment model, Azure AD DS is enabled within a virtual network that belongs to the Azure CSP subscription. The CSP partner's admin agents have the following privileges: |
54 | 51 |
|
55 | | -In this deployment model, the CSP provider's admin agents can administer identities for the customer. These admin agents have the ability to provision new users, groups, add applications within the customer's Azure AD directory etc. This deployment model may be suited for smaller organizations that do not have a dedicated identity administrator or prefer for the CSP partner to administer identities on their behalf. |
| 52 | +* *Global administrator* privileges in the customer's Azure AD tenant. |
| 53 | +* *Subscription owner* privileges on the Azure CSP subscription. |
56 | 54 |
|
| 55 | + |
| 56 | + |
| 57 | +In this deployment model, the CSP provider's admin agents can administer identities for the customer. These admin agents have the ability to provision new users, groups, add applications within the customer's Azure AD tenant etc. This deployment model may be suited for smaller organizations that don't have a dedicated identity administrator or prefer for the CSP partner to administer identities on their behalf. |
57 | 58 |
|
58 | 59 | ### Peered deployment model |
59 | | -In this deployment model, Azure AD Domain Services is enabled within a virtual network belonging to the customer - that is, a direct Azure subscription paid for by the customer. The CSP partner can then deploy applications within a virtual network belonging to the customer's CSP subscription. The virtual networks can then be connected using Azure virtual network peering. As a result, the workloads/applications deployed by the CSP partner in the Azure CSP subscription can connect to the customer's managed domain provisioned in the customer's direct Azure subscription. |
| 60 | + |
| 61 | +In this deployment model, Azure AD DS is enabled within a virtual network belonging to the customer - a direct Azure subscription paid for by the customer. The CSP partner can then deploy applications within a virtual network belonging to the customer's CSP subscription. The virtual networks can then be connected using Azure virtual network peering. |
| 62 | + |
| 63 | +With this deployment, the workloads or applications deployed by the CSP partner in the Azure CSP subscription can connect to the customer's managed domain provisioned in the customer's direct Azure subscription. |
60 | 64 |
|
61 | 65 |  |
62 | 66 |
|
63 | | -This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents do not need to have global administrator privileges on the customer's Azure AD directory. The customer's identity administrators can continue to manage identities for their organization. |
| 67 | +This deployment model provides a separation of privileges and enables the CSP partner's helpdesk agents to administer the Azure subscription and deploy and manage resources within it. However, the CSP partner's helpdesk agents don't need to have global administrator privileges on the customer's Azure AD directory. The customer's identity administrators can continue to manage identities for their organization. |
64 | 68 |
|
65 | | -This deployment model may be suited to scenarios where an ISV (independent software vendor) provides a hosted version of their on-premises application, which also needs to connect to the customer's AD. |
| 69 | +This deployment model may be suited to scenarios where an ISV provides a hosted version of their on-premises application, which also needs to connect to the customer's AD. |
66 | 70 |
|
| 71 | +## Administer Azure AD DS in CSP subscriptions |
67 | 72 |
|
68 | | -## Administering Azure AD Domain Services managed domains in CSP subscriptions |
69 | 73 | The following important considerations apply when administering a managed domain in an Azure CSP subscription: |
70 | 74 |
|
71 | | -* **CSP admin agents can provision a managed domain using their credentials:** Azure AD Domain Services supports Azure CSP subscriptions. Therefore, users belonging to a CSP partner's admin agents group can provision a new Azure AD Domain Services managed domain. |
| 75 | +* **CSP admin agents can provision a managed domain using their credentials:** Azure AD DS supports Azure CSP subscriptions. Users belonging to a CSP partner's admin agents group can provision a new Azure AD DS managed domain. |
72 | 76 |
|
73 | | -* **CSPs can script creation of new managed domains for their customers using PowerShell:** See [how to enable Azure AD Domain Services using PowerShell](powershell-create-instance.md) for details. |
| 77 | +* **CSPs can script creation of new managed domains for their customers using PowerShell:** See [how to enable Azure AD DS using PowerShell](powershell-create-instance.md) for details. |
74 | 78 |
|
75 | | -* **CSP admin agents cannot perform ongoing management tasks on the managed domain using their credentials:** CSP admin users cannot perform routine management tasks within the managed domain using their credentials. These users are external to the customer's Azure AD directory and their credentials are not available within the customer's Azure AD directory. Therefore, Azure AD Domain Services does not have access to the Kerberos and NTLM password hashes for these users. As a result, such users cannot be authenticated on Azure AD Domain Services managed domains. |
| 79 | +* **CSP admin agents can't perform ongoing management tasks on the managed domain using their credentials:** CSP admin users can't perform routine management tasks within the managed domain using their credentials. These users are external to the customer's Azure AD tenant and their credentials aren't available within the customer's Azure AD tenant. Azure AD DS doesn't have access to the Kerberos and NTLM password hashes for these users, so users can't be authenticated on Azure AD DS managed domains. |
76 | 80 |
|
77 | 81 | > [!WARNING] |
78 | | - > **You must create a user account within the customer's directory to perform ongoing administration tasks on the managed domain.** |
79 | | - > You cannot sign in to the managed domain using a CSP admin user's credentials. Use the credentials of a user account belonging to the customer's Azure AD directory to do so. You need these credentials for tasks such as joining virtual machines to the managed domain, administering DNS, administering Group Policy etc. |
| 82 | + > You must create a user account within the customer's directory to perform ongoing administration tasks on the managed domain. |
80 | 83 | > |
| 84 | + > You can't sign in to the managed domain using a CSP admin user's credentials. Use the credentials of a user account belonging to the customer's Azure AD tenant to do so. You need these credentials for tasks such as joining VMs to the managed domain, administering DNS, or administering Group Policy. |
81 | 85 |
|
82 | | -* **The user account created for ongoing administration must be added to the 'AAD DC Administrators' group:** The 'AAD DC Administrators' group has privileges to perform certain delegated administration tasks on the managed domain. These tasks include configuring DNS, creating organizational units, administering group policy etc. For a CSP partner to perform such tasks on a managed domain, a user account needs to be created within the customer's Azure AD directory. The credentials for this account must be shared with the CSP partner's admin agents. Also, this user account must be added to the 'AAD DC Administrators' group to enable configuration tasks on the managed domain to be performed using this user account. |
83 | | - |
| 86 | +* **The user account created for ongoing administration must be added to the *AAD DC Administrators* group:** The *AAD DC Administrators* group has privileges to perform certain delegated administration tasks on the managed domain. These tasks include configuring DNS, creating organizational units, and administering group policy. |
| 87 | + |
| 88 | + For a CSP partner to perform these tasks on a managed domain, a user account must be created within the customer's Azure AD tenant. The credentials for this account must be shared with the CSP partner's admin agents. Also, this user account must be added to the *AAD DC Administrators* group to enable configuration tasks on the managed domain to be performed using this user account. |
84 | 89 |
|
85 | 90 | ## Next steps |
86 | | -* [Enroll in the Azure CSP program](https://docs.microsoft.com/partner-center/enrolling-in-the-csp-program) and start creating business through Azure CSP. |
87 | | -* Review the list of [Azure services available in Azure CSP](https://docs.microsoft.com/azure/cloud-solution-provider/overview/azure-csp-available-services). |
88 | | -* [Enable Azure AD Domain Services using PowerShell](powershell-create-instance.md) |
89 | | -* [Get started with Azure AD Domain Services](tutorial-create-instance.md) |
| 91 | + |
| 92 | +To get started, [enroll in the Azure CSP program](partner-center/enrolling-in-the-csp-program). You can then enable Azure AD Domain Services using [the Azure portal](tutorial-create-instance.md) or [Azure PowerShell](powershell-create-instance.md). |
0 commit comments