Hi Dean, inspired by you, I am now starting my UA-cam channel to share Azure knowledge in Mandarin. You are a role model for me~ I've learnt a lot from you.
AWESOME!!!!! Good luck to you Sid If you want to take my videos and provide translations into Mandarin I am happy to add them as subtitles as a way to expand you efforts. I have already been doing this for Japanese and Portuguese...would love to add more languages
@@AzureAcademy Hi Dean, you can click my head portrait to access my channel, it's called "喜得Sid", I am using just iPad + Apple pencil + iPhone to shot the video.
@@AzureAcademy Sorry I am still new to UA-cam, correct me if I am wrong, do you want me to help translate your videos into Chinese subtitles? Can you share a link of the videos you did for Japanese and Portuguese, thanks.
ua-cam.com/video/DrkQFSVD9Ik/v-deo.html This video has all the languages in it. If you wanted to contribute to the translations that would be awesome... then you could link them on your channel and use them to help people learn WVD.
Thank you for this video Dean. One question reference AAD DS being managed. How is the security piece worked? If there are AAD DS DCs represented in my tenant, and they get attacked, should these be tied to the tenant security stack, or does the management include all aspects of security?
They are NOT represented in your tenant. Within AZURE AD there is no concept of a domain or domain controller. AADDS are just VMs that are part of the managed service offering that run an instance of Active Directory that Azure AD creates users ids and passwords in. Does that make sense? So no one can attack windows because you have no access or permissions, so you can’t compromise windows. YOUR account in AADDS has delegated permissions in a single OU, so you can’t compromise AD. So the only way to protect those VMs is to block all unneeded ports with a firewall or NSG, don’t put anything else in their resource group, lock the resource group, remove all but the required permissions from the resource group. Setup all the monitoring of AADDS and Azure, including following the security center (defender for cloud) recommendations and you should be good.
Hi Dean, once again an awesome video! Really appreciate your hard work for our community. I have one question that is slightly related. Hope you don't mind me asking. We are building a WVD environment and our goal is to only use managed Azure services. So no AD DS or (file) servers but Azure AD DS, storage accounts, et cetera. We have ran into a showstopper with AppAttach. AppAttach requires the session hosts to have a RBAC role on the storage account to read the packages. Azure AD DS does not seem to support hybrid join which means the WVD sessions hosts cannot be registered in Azure AD. And as a result the sessions hosts can't connect to file shares on storage accounts. Do you happen to know if we can somehow solve or workaround this issue? Thanks in advance and looking forward to the next episode.
Thank you Dean and it is a great video. I have one question here. If I only want to use native Azure AD user (cloud user) to access AVD, do i have to set up Azure AD DS? can I just have cloud native user access AVD? is it possible so that i can save the cost of running Azure AD DS instance? Thank you.
Hey John, a cloud user can only be used with Azure AD Join and AVD. if you user AADDS then you are using a synced user. So you would create a cloud user then create AADDS and all the users in Azure AD would sync over to AADDS So I would suggest looking at me Azure AD Join videos before trying AADDS -> ua-cam.com/video/n_7nZFxhobc/v-deo.html
OK, so a UID from the WinDC AD synchs to Azure AD then synchs to AADS (if enabled). But when it gets to AADS it gets a replacement UID / source anchor ? (5:46) Sorry confused ..
Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain. This might help on source anchors - docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts How Azure ADDS Syncing works - docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
In short…you can’t. AADDS is designed to only have 1 instance per Azure AD Tenant. But I think you would be interested in replica sets - docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-replica-sets
Great job on the videos Dean and Team, however, i dont see the use of AADDS if you already have ADDS, especially because new WVD features lik MSIX APP attach, does not work with AADDS. and paying for an AADDS service on top of S2s/Express route, and DC vms kinda makes it redundant in my oppinion, although I may be wrong (yes it has happened :-D )
Still struggling to see the use case for Azure ADDS? Am I right in saying it would be for an organisation who is cloud-first and doesn’t have traditional AD? Also, the common question I hear is do Microsoft ever plan to remove the need for traditional AD to use WVD? I understand the session hosts have to joined to a domain right now, is there anything on the road map to change this?
I don’t think there is anything on the public roadmap on removing the need for traditional domain controllers, but it is one of the most requested features, and all I can say is that the product team very actively listens to feedback. YES I would look at AADDS in born in the cloud companies who don’t already have traditional domain controllers Let me know if that clears it up
Hey Dean, you know more than Yoda Jedi, amazing!!!!! Also, I loved your change of clothes, hahahahaha. But seriously, great job.....again!!!!!!
Thanks!
Fantastic explanations! Yes, I'm still with you!
Thanks Deo ☺️
Finally the wait is over
Thanks for uploading the new video.
Nicely explained.
I have been using ADDS for my labs and paying big bucks 🙂
Hey Faddy! Yeah it can be compared to the cost of a single VM, but it is a managed service that gives you 2 VMs...so...🤷🏼♂️
Hi Dean, inspired by you, I am now starting my UA-cam channel to share Azure knowledge in Mandarin.
You are a role model for me~ I've learnt a lot from you.
AWESOME!!!!! Good luck to you Sid
If you want to take my videos and provide translations into Mandarin I am happy to add them as subtitles as a way to expand you efforts.
I have already been doing this for Japanese and Portuguese...would love to add more languages
Let me know what your channel so I can subscribe ☺️
@@AzureAcademy Hi Dean, you can click my head portrait to access my channel, it's called "喜得Sid", I am using just iPad + Apple pencil + iPhone to shot the video.
@@AzureAcademy Sorry I am still new to UA-cam, correct me if I am wrong, do you want me to help translate your videos into Chinese subtitles? Can you share a link of the videos you did for Japanese and Portuguese, thanks.
ua-cam.com/video/DrkQFSVD9Ik/v-deo.html
This video has all the languages in it.
If you wanted to contribute to the translations that would be awesome... then you could link them on your channel and use them to help people learn WVD.
Really enjoying this, thanks again!
Awesome! Please Share it with everyone!
Thank you for this video Dean. One question reference AAD DS being managed. How is the security piece worked? If there are AAD DS DCs represented in my tenant, and they get attacked, should these be tied to the tenant security stack, or does the management include all aspects of security?
They are NOT represented in your tenant. Within AZURE AD there is no concept of a domain or domain controller. AADDS are just VMs that are part of the managed service offering that run an instance of Active Directory that Azure AD creates users ids and passwords in. Does that make sense?
So no one can attack windows because you have no access or permissions, so you can’t compromise windows.
YOUR account in AADDS has delegated permissions in a single OU, so you can’t compromise AD.
So the only way to protect those VMs is to block all unneeded ports with a firewall or NSG, don’t put anything else in their resource group, lock the resource group, remove all but the required permissions from the resource group.
Setup all the monitoring of AADDS and Azure, including following the security center (defender for cloud) recommendations and you should be good.
@@AzureAcademy that helps a lot. Basically I have 5 VMs per tenant associated with AAD DS. This helps to understand their purpose and security.
Great! a whole series on zero trust security coming soon…stay tuned!
Hi Dean, once again an awesome video! Really appreciate your hard work for our community. I have one question that is slightly related. Hope you don't mind me asking.
We are building a WVD environment and our goal is to only use managed Azure services. So no AD DS or (file) servers but Azure AD DS, storage accounts, et cetera. We have ran into a showstopper with AppAttach. AppAttach requires the session hosts to have a RBAC role on the storage account to read the packages. Azure AD DS does not seem to support hybrid join which means the WVD sessions hosts cannot be registered in Azure AD. And as a result the sessions hosts can't connect to file shares on storage accounts.
Do you happen to know if we can somehow solve or workaround this issue? Thanks in advance and looking forward to the next episode.
Thanks Sander! I love the approach, however you are Correct AzureAD DS does not support MSIX AppAttach at this time 😩
Did you fall back to AD or do you "role" your VM in the pool then decommission your VM with drain mode, when you update apps in VM ?
Watch this video for NEW features that help with this 👉 ua-cam.com/video/QxRb9sV3tHU/v-deo.htmlsi=sNKiLJPj-HxUyeFF
Thank you Dean and it is a great video. I have one question here. If I only want to use native Azure AD user (cloud user) to access AVD, do i have to set up Azure AD DS? can I just have cloud native user access AVD? is it possible so that i can save the cost of running Azure AD DS instance? Thank you.
Hey John, a cloud user can only be used with Azure AD Join and AVD. if you user AADDS then you are using a synced user.
So you would create a cloud user then create AADDS and all the users in Azure AD would sync over to AADDS
So I would suggest looking at me Azure AD Join videos before trying AADDS -> ua-cam.com/video/n_7nZFxhobc/v-deo.html
OK, so a UID from the WinDC AD synchs to Azure AD then synchs to AADS (if enabled). But when it gets to AADS it gets a replacement UID / source anchor ? (5:46) Sorry confused ..
Once those objects are successfully synchronized to Azure AD, the automatic background sync then makes those objects and credentials available to applications using the managed domain.
This might help on source anchors - docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
How Azure ADDS Syncing works - docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
Hi Dean, love ur fun and solid vids!
I wanted to know what if i had multi region AVD deployment. How will i achieve this with AADDS?
In short…you can’t. AADDS is designed to only have 1 instance per Azure AD Tenant.
But I think you would be interested in replica sets - docs.microsoft.com/en-us/azure/active-directory-domain-services/concepts-replica-sets
Great job on the videos Dean and Team, however, i dont see the use of AADDS if you already have ADDS, especially because new WVD features lik MSIX APP attach, does not work with AADDS. and paying for an AADDS service on top of S2s/Express route, and DC vms kinda makes it redundant in my oppinion, although I may be wrong (yes it has happened :-D )
I very much agree with you...if you already have an AD Domain AADDS is NOT something I would recommend.
You’re defintely a very good speaker !
Any chance to see MsixAppattach working with Azure ADDS ?
Nope! Not supported yet...PG is working on it, stay tuned!
Still struggling to see the use case for Azure ADDS? Am I right in saying it would be for an organisation who is cloud-first and doesn’t have traditional AD?
Also, the common question I hear is do Microsoft ever plan to remove the need for traditional AD to use WVD? I understand the session hosts have to joined to a domain right now, is there anything on the road map to change this?
I just watched this ... ua-cam.com/video/OWGVoJMdIRc/v-deo.html which has helped clear this up.
I don’t think there is anything on the public roadmap on removing the need for traditional domain controllers, but it is one of the most requested features, and all I can say is that the product team very actively listens to feedback.
YES I would look at AADDS in born in the cloud companies who don’t already have traditional domain controllers
Let me know if that clears it up
awesome, glad it helped!
Can you add subtitles here? Thank you
All the videos have subtitles…press C on your keyboard to turn them on
@@AzureAcademy AZ-140 ep09 | Plan AzureAD Identites
ua-cam.com/video/9kO68Euy--g/v-deo.html
I found this video doesn't seem to be
Just checked and for some reason they are missing…will see what I can do