Microsoft Entra Domain Services for Small Business in Berlin

Not every application can authenticate against a cloud identity provider. Many line-of-business applications, legacy databases, file services, and internal tools were designed for a Windows Active Directory environment — they require Kerberos authentication, LDAP queries, NTLM fallback, or Group Policy support. Organizations with this type of infrastructure face a binary choice when moving to Azure: either maintain on-premises domain controllers indefinitely or replace every application that depends on AD before migrating. Microsoft Entra Domain Services (formerly Azure AD Domain Services / AADDS) provides a third option — a fully managed Active Directory domain service running in Azure that applications can join and authenticate against, without requiring an on-premises domain controller or synchronization infrastructure.

Entra Domain Services is not a replacement for on-premises AD in hybrid environments — it does not synchronize back to on-premises, does not support custom schema extensions, and does not expose the full Active Directory administrative surface. It is specifically suited for lift-and-shift migration scenarios and cloud-native applications that require traditional AD protocols without the operational burden of running domain controllers.

What Entra Domain Services provides

• Managed domain controllers: Microsoft manages two domain controllers deployed into a dedicated Azure subnet within your virtual network. High availability, patching, backup, and replication are handled by the service. You do not have administrative access to the DCs themselves.
• Kerberos and NTLM authentication: Applications and VMs joined to the managed domain authenticate using Kerberos v5 and NTLM — the same protocols as on-premises AD. Legacy applications that cannot use OAuth or SAML authenticate seamlessly.
• LDAP support: Applications that query Active Directory via LDAP work against the managed domain. Secure LDAP (LDAPS) is configurable for applications that require encrypted LDAP connections.
• Group Policy: A built-in set of GPOs is applied to the managed domain. Administrators can create additional GPOs and link them to OUs in the managed domain to apply configurations to joined VMs.
• User synchronization from Entra ID: User accounts from Entra ID (via Entra Connect if hybrid, or cloud-only accounts) are synchronized into the managed domain. Existing Microsoft 365 accounts can authenticate against the managed domain without requiring separate accounts.

Typical use cases for Berlin SMBs

Entra Domain Services addresses specific migration and cloud-native scenarios rather than general-purpose identity management:

• Lift-and-shift of AD-dependent applications: An application that requires LDAP queries or Kerberos authentication can be moved to an Azure VM and joined to the managed domain, eliminating the dependency on an on-premises DC without rewriting the application.
• Azure Virtual Desktop profiles and roaming: AVD session hosts can join the managed domain, enabling UPD-style profile management and GPO-based configuration of session environments — required for organizations using legacy profile management approaches.
• Elimination of the last on-premises domain controller: Organizations with only one or two remaining on-premises use cases for AD can migrate those workloads to Azure VMs joined to Entra Domain Services and decommission the last on-premises DCs, completing the Azure migration.
• Remote access and file share authentication: File servers and remote access infrastructure in Azure can authenticate users via Kerberos without requiring a VPN back to on-premises DCs or the complexity of maintaining on-premises infrastructure.

What Entra Domain Services does NOT do

Understanding the limitations prevents misapplication of the service. Entra Domain Services does not support:

• Schema extensions: The Active Directory schema cannot be customized. Applications that require custom schema attributes (some older Exchange-dependent systems, certain ERP applications) cannot use Entra Domain Services.
• Writeback to on-premises: Entra Domain Services does not replicate to on-premises AD. It is a one-way synchronization from Entra ID. Changes made in the managed domain do not flow back to on-premises.
• Full administrative access: You cannot log on to the domain controllers or access them via RDP or PowerShell. Administration is performed through standard AD tools from a joined VM, limited to the permissions of the built-in AAD DC Administrators group.
• Trust relationships: The managed domain does not support AD trusts with external forests.

Licensing and cost

Entra Domain Services is priced per hour based on the SKU (Standard or Enterprise) and the Azure region. It is not included in Microsoft 365 Business Premium — it is a separate Azure resource with Azure consumption billing. For most small business use cases, the monthly cost is comparable to running a single small Azure VM, since the service replaces one or two dedicated DC VMs while eliminating patching and replication overhead. The appropriate cost comparison is total cost of ownership: managed domain service billing versus the ongoing IT cost of maintaining dedicated domain controller VMs in Azure.

Integration with Entra Connect

For hybrid environments running Entra Connect, user accounts synchronized to Entra ID are automatically synchronized to the Entra Domain Services managed domain. This means users log in with their existing Microsoft 365 credentials and can authenticate to applications joined to the managed domain without any additional account provisioning. Password hash synchronization must be enabled in Entra Connect for this to work — the managed domain requires password hashes to perform Kerberos and NTLM authentication.