Desktop and Application Streaming

Add your WorkSpaces to Azure AD using Azure Active Directory Domain Services

As organizations transition to the cloud, managed directory offerings are becoming more prevalent. Administrators appreciate the robust controls without the management overhead of an on premises solution. To make these transitions successful, administrators must find ways to join their desktop fleets to cloud-based directories. While AWS Managed Microsoft AD natively supports Amazon WorkSpaces, customers can also use Azure AD with Amazon WorkSpaces.

WorkSpaces integrate with AWS Directory Service to provide administrators the flexibility to take advantage of the directory that is most appropriate for their needs. For administrators that need desktops only, and do not want to manage a domain, there is Simple Active Directory. Alternatively, administrators who want the benefits of Active Directory and high availability in a fully managed service can use AWS Managed Microsoft AD. Finally, for administrators who want to take advantage of their existing Active Directory forest for their WorkSpace, there is Active Directory Connector.

In this post, we use an Active Directory Connector and Azure Active Directory Domain Services to join Amazon WorkSpaces to Azure Active Directory.

Prerequisites

  • The prerequisites for adding your WorkSpaces to Azure AD using Azure Active Directory Domain Services include the following:
  • A virtual private cloud (VPC) in an AWS Region with Amazon WorkSpaces.
  • Two private subnets in your VPC.
  • Azure Active Directory.
  • An Azure resource group.
  • VPN connectivity between your Amazon VPC and your Azure resource group. (This can be through native IPSec tunnels or using VPN appliances).
    • The tunnels must be configured to allow traffic from your AADDS endpoints and the Subnets to house your WorkSpaces.

Step 1: Add Azure Active Directory Domain Services

Azure AD does not support Domain joining instances by default. To perform actions like Domain Join, and to use tools like Group Policy, administrators must enable Azure Active Directory Domain Services.

If you have not already added Azure AD DS, or your existing implementation is not associated with the domain that you want your WorkSpaces to use, you must add a new instance. For information about enabling Azure AD DS, see  https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started.

When enabling Azure AD DS, make sure that it is configured for the Resource Group and the Azure AD Domain that you want your WorkSpaces to interface with.

 

Step 2: Create a Service Account

Once Azure AD DS has been configured, the next step is to create a service account for your Active Directory Connector to use. This account performs the user lookups when creating WorkSpaces, and is used to join WorkSpaces to your Azure Domain. So, it must be a member of the Azure AD DC administrator group.

We use the integrated PowerShell for this step. If you have the AzureAD PowerShell module installed and configured, you can use that.

In your Azure console:

  1. Launch the interactive shell by choosing the >_ icon to the right of the search bar. 
  2. When the shell has launched, run the following:
    #Change These Values to Match your environment
    $password = "Password123!"
    $displayName = "Amazon WorkSpaces Service Account 2"
    $upn = "svc_awswks2@test123!.onmicrosoft.com"
    $mailName = "svc_awswks2"
    
    #Change this if you did not use the default Azure AD DS Admin group name
    $aadAdmins = "AAD DC Administrators"
    
    $PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
    $PasswordProfile.ForceChangePasswordNextLogin = $false
    $PasswordProfile.Password = $password
    $newaaduser = New-AzureADUser -DisplayName $displayName -PasswordProfile $PasswordProfile -UserPrincipalName $upn -AccountEnabled $true -MailNickName $mailName
    Get-AzureADGroup |where {$_.displayname -like $aadAdmins} |Add-AzureADGroupMember -RefObjectId $newaaduser.ObjectId 
    

Step 3: Create a New Active Directory Connector

Once Azure AD DS is configured and you have created a service account, you can create an Active Directory Connector to deploy WorkSpaces.

In your Azure console, do the following:

  1. In the left-hand menu, choose Resource Groups.
  2. Choose the resource group that you configured the Azure AD Directory Service with.
  3. In the resource group, select your Azure AD Domain Services instance.
  4. From the resource group menu, under Manage, select Properties.
  5. Make note of the IPs listed under IP address on virtual network.
  6. Make note of the DNS name under DNS domain name.

In the AWS Management Console:

  1. Open Amazon WorkSpaces at https://console.aws.amazon.com/workspaces/.
  2. From the left menu in the console, choose Directories.
  3. Choose Set up Directory.
  4. Select the AD Connector Radio box.
  5. Choose Next.
  6. Based on the number of WorkSpaces you intend to deploy, choose the edition that meets your sizing needs, and add a description.
  7. Choose Next.
  8. Specify the VPC and Subnets you want your WorkSpaces located in. Note: WorkSpaces require two private subnets.
  9. Choose Next.
  10. Provide the necessary AD connection details:
    1. Organization name – This is a unique name for the directory.
    2. Directory DNS Name – This is the DNS domain name from Azure.
    3. NetBIOS name – This is optional.
    4. DNS IP addresses – Use the IP addresses from the IP address on virtual network.
    5. Service account username – Provide the user name for the account created in Step 2.
    6. Service account password – Provide the password for the account created in Step 2.
  11. Review the setting and choose Create directory.

Note: Your Active Directory Connector provides DNS information to WorkSpaces allowing them to connect to Azure. If you intend to join EC2 instances as well, you must modify your DHCP options.

Step 4: Register your Active Directory Connector

After you have created an Active Directory connector, you need to register it with the WorkSpaces service. This allows the Amazon WorkSpaces service to use your new Active Directory connector to join WorkSpaces to Azure AD DS.

  1. Open Amazon WorkSpaces at https://console.aws.amazon.com/workspaces/.
  2. From the left menu in the console, choose Directories.
  3. Select the directory that you created.
  4. Choose Actions.
  5. Choose Register.
  6. Specify the subnets to use for your WorkSpaces.
  7. Choose the Register button.

Step 5: Deploy Amazon WorkSpaces

After you register your Active Directory connector with the WorkSpaces service, you can deploy Amazon WorkSpaces. This deployment includes Windows and Amazon Linux 2-based Workspaces, as shown in the following example.

For information about how to create a new WorkSpace, see https://docs.aws.amazon.com/workspaces/latest/adminguide/launch-workspace-ad-connector.html#create-workspace-ad-connector .

 

Conclusion:

This post showed how to use your corporate identity in Azure Active Directory with Amazon WorkSpaces. When configured, you can deploy Windows and Linux-based WorkSpaces to your Azure users. Those uses can be cloud native or synchronized from your on-premises Forest.