How can we improve Azure Active Directory?

Support Azure AD domain join for Windows Server 2016

Microsoft should strongly consider implementing support for Azure AD join in future builds of Windows Server 2016. I how a couple of customers that have nearly finished the transition to all cloud and is left with a couple of servers due to legacy software. They are currently left with the option to deploy Azure AD Domain Services for supporting a couple (2-5) servers.

https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/32995450-support-azure-ad-domain-join-for-windows-server-20

144 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Peter Selch Dahl shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

17 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Christopher Neufeld commented  ·   ·  Flag as inappropriate

    In an increasingly cloud-centric environment, this is a must-have. We run a slew of servers across various cloud services and it would be extremely beneficial to be able to centralize and manage logins using Azure AD.

  • Neil G. commented  ·   ·  Flag as inappropriate

    In case its not clear - this is a request for windows server to be able to register as a known device to Azure AD -- NOT Hybrid join -- with the short term goal of being able to login with our Office 365/AzureAD identities as well as local "break the glass" login.

    Probably long term goal would be MDM server management through Intune but that is a whole different request.

  • HenrikE commented  ·   ·  Flag as inappropriate

    This is needed. The comment below shows that Microsoft don't even understand the question. We want to be able to join server OS directly to AAD, just as we do clients. While this may mean that the server OS will need to be able to consume an OAUTH token, it is most desirable to be able to remove the onprem AD altogether while keeping the option to deploy the occational member server.

  • Gerald Talton commented  ·   ·  Flag as inappropriate

    Hey Ravi, this "Under Review" comment is almost a year old, can you give us any insight on where this is on the roadmap?

  • Gerald Talton commented  ·   ·  Flag as inappropriate

    Without this feature, my attempts to integrate with my employer's current Azure AD. Currently I am being told that installing Azure AD DS is not an acceptable security risk and that this is the only way they would consider supporting AD access.

  • Josh Aitken commented  ·   ·  Flag as inappropriate

    We are rapidly migrating traditionally on-prem SMB's into the cloud and one of the primary issues we run into is the inability to shift clients on-prem LOB's into Azure VMs without also dragging the unwanted, typically poorly maintained onprem AD's along with them.

    AzureAD connect/ ADFS does not fulfill this request, the benefit of the cloud is we can reduce cost/ complexity and general administrative overhead - the aforementioned technologies do the opposite (at least with respects to SMB's).

  • Tom Hebert commented  ·   ·  Flag as inappropriate

    @BenTheBuilder is spot on. For large organizations, maintaining AD is fine. But for many others, it's overkill. Imagine the scenario where you are supporting a small business having two servers. In order to use AD, you need to maintain an AD server and best practice says two. AD domains are fragile and must be carefully operated or you will be finding yourself researching and fixing very complex issues.

    This hypothetical business really wants single sign on, two-factor authorization, and some basic things. Their one and only admin has full control anyway. Pushing complex group policies is just an unnecessary complication. Most other things associated with AD are an unnecessary costly distraction.

    Finally, a simplified on-premise environment is much easier to move to Azure. When I do this, the first thing I do is provision a replicate domain server in Azure, mainly to ensure that authentication can occur should the site-to-site VPN go down.

  • BenTheBuilder commented  ·   ·  Flag as inappropriate

    This would be a huge deal. We are a Cloud first shop. We don't want to run AD Controllers - we would rather utilize Azure AD and the Groups/Users in it. We don't care about things like GPO (we have real config mgmt). We just need a single IAM solution for our Cloud Services and IaaS resources.

  • turnin commented  ·   ·  Flag as inappropriate

    Does "Windows Server Essentials Experience" fill this gap ?
    i.e Local Windows machines joined to locally running "Essentials Experience" Server, which is connected to Azure AD

  • Michiel commented  ·   ·  Flag as inappropriate

    This would be a huge added value for multi tenant shared workloads. Would take all the hassle away from forest/trust based user separation

  • Peter commented  ·   ·  Flag as inappropriate

    In my case, we would like to use Azure AD combined with O365 but keep the ability for example to roll out a physical server on premise. This 2016 server would then be joined to Azure AD.

  • Dan Bolton commented  ·   ·  Flag as inappropriate

    I would like this functionality to support Windows 2016 servers that are also joined to on-prem AD but also AzureAD so users get a more seamless experience with services that use Azure AD (e.g. box, etc.)

Feedback and Knowledge Base