Desktop and Application Streaming
Add your WorkSpaces to Microsoft Entra ID using Microsoft Entra Domain Services
January 21, 2025: This blog post has been updated by Mayank Jain.
As organizations transition to the cloud, managed directory offerings are becoming more prevalent. Administrators appreciate the robust controls without the management overhead of an on premises solution. To make these transitions successful, administrators must find ways to join their desktop fleets to cloud-based directories. While AWS Managed Microsoft AD natively supports Amazon WorkSpaces, customers can also use Microsoft Entra ID with Amazon WorkSpaces.
WorkSpaces integrates with AWS Directory Service to provide administrators the flexibility to take advantage of the directory that is most appropriate for their needs. For administrators that need desktops only, and do not want to manage a domain, there is Simple Active Directory. Alternatively, administrators who want the benefits of Active Directory and high availability in a fully managed service can use AWS Managed Microsoft AD. Finally, for administrators who want to take advantage of their existing Active Directory forest for their WorkSpace, there is AD Connector.
WorkSpaces Personal now supports creating Windows 10 or 11 Bring Your Own License (BYOL) WorkSpaces that are Microsoft Entra ID-joined and enrolled to Intune. For more details, see Create a dedicated Microsoft Entra ID directory with WorkSpaces Personal. In this post, we use an AD Connector and Microsoft Entra Domain Services to join non-BYOL Amazon WorkSpaces to Microsoft Entra ID.
Prerequisites
The prerequisites for adding your WorkSpaces to Entra ID using Domain Services include the following:
- A virtual private cloud (VPC) in an AWS Region with WorkSpaces.
- Two private subnets in your VPC.
- Entra ID.
- An Azure resource group.
- VPN connectivity between your Amazon VPC and your Azure resource group. (This can be through native IPSec tunnels or using VPN appliances). The tunnels must be configured to allow traffic from your Domain Services endpoints and the subnets containing your WorkSpaces.
Walkthrough
Step 1: Add Domain Services
Entra ID does not support domain joining the non-BYOL WorkSpaces to by default. To perform actions like Domain Join, and to use tools like Group Policy, administrators must enable Domain Services.
If you have not already added Domain Services, or your existing implementation is not associated with the domain that you want your WorkSpaces to use, you must add a new instance. For information about enabling Domain Services, see Create and configure a Microsoft Entra Domain Services managed domain.
When enabling Domain Services, make sure that it is configured for the Resource Group and the Domain Services that you want your WorkSpaces to interface with.
Step 2: Create a Service Account
Once Domain Services has been configured, the next step is to create a service account for your AD Connector to use. This account performs the user lookups when creating WorkSpaces, and is used to join WorkSpaces to your Entra Domain. So, it must be a member of the DC Administrators group.
We use the integrated Cloud Shell for this step. If you have the Microsoft Graph PowerShell module installed and configured, you can use that.
In your Azure console:
- Launch the interactive shell by choosing the >_ icon to the right of the search bar.
- When the shell has launched, run the following commands. Replace the values of
$password,$displayName,$upn, and$mailname.$password = "Password123!" $displayName = "Amazon WorkSpaces Service Account 6" $upn = "svc_awswks6@example.onmicrosoft.com" $mailName = "svc_awswks6" #Change this if you did not use the default Domain Services Administrators group. $EntraDomainAdmin = "AAD DC Administrators" $PasswordProfile = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphPasswordProfile $PasswordProfile.ForceChangePasswordNextSignIn = $false $PasswordProfile.Password = $password New-MgUser -DisplayName $displayName -PasswordProfile $PasswordProfile -AccountEnabled -MailNickName $mailName -UserPrincipalName $upn $Groupid = (Get-MgGroup | Where-Object {$_.DisplayName -eq $EntraDomainAdmin}).id $odadaID = "https://graph.microsoft.com/v1.0/users/$upn" New-MgGroupMemberByRef -GroupId $GroupId -OdataId $odadaID
Step 3: Create a New AD Connector
Once Entra Domain is configured and you have created a service account, you can create an AD Connector to deploy WorkSpaces.
In your Azure Portal, do the following:
- In the left-hand menu, choose Resource Groups.
- Choose the resource group that you configured the Domain Services with.
- In the resource group, under Resources select your Domain Services instance.
- In the left-hand menu, choose Settings > Properties.
- Make note of the IPs listed under IP addresses.
- Make note of the DNS name under DNS domain name.
In the AWS Management Console:
- Create an AD Connector.
- Provide the necessary AD connection details:
- Organization name – This is a unique name for the directory.
- Directory DNS Name – This is the DNS domain name from Azure.
- NetBIOS name – This is optional.
- DNS IP addresses – Use the IP addresses from the IP address on virtual network.
- Service account username – Provide the user name for the account created in Step 2.
- Service account password – Provide the password for the account created in Step 2.
- Make a note of the Directory ID.
Note: Your AD Connector provides DNS information to WorkSpaces allowing them to connect to Azure. If you intend to join EC2 instances as well, you must modify your DHCP options.
Step 4: Register your AD Connector
After you have created an AD Connector, you need to register it with the WorkSpaces service. This allows the Amazon WorkSpaces service to use your new AD Connector to join WorkSpaces to Domain Services. Follow the steps in Register an existing AWS Directory Service directory with WorkSpaces Personal to register the AD Connector you created in Step 3.
Step 5: Deploy WorkSpaces
After you register your Active Directory connector with the WorkSpaces service, you can deploy WorkSpaces. This deployment includes Windows and Amazon Linux 2-based WorkSpaces, as shown in the following example.
For information about how to create a new WorkSpace, see Create a WorkSpace in WorkSpaces Personal.
Conclusion
This post showed how to use your corporate identity in Domain Services with Amazon WorkSpaces. When configured, you can deploy Windows and Linux-based WorkSpaces for your Azure users. Those uses can be cloud-native or synchronized from your on-premises Forest.