1 00:00:01,240 --> 00:00:04,290 Now let's turn our attention to joining Windows Server to 2 00:00:04,290 --> 00:00:08,060 different types of domains, Active Directory Domain Services, 3 00:00:08,060 --> 00:00:11,580 Azure AD Domain Services, and Azure AD itself. 4 00:00:11,580 --> 00:00:14,630 Now we really don't have to do the first bit because I already 5 00:00:14,630 --> 00:00:18,560 showed you how to join an Active Directory Domain Services domain, 6 00:00:18,560 --> 00:00:22,530 as well as promote a domain controller, but we do want to look at 7 00:00:22,530 --> 00:00:24,230 the second and third options here. 8 00:00:24,230 --> 00:00:26,290 I'm actually going to start with the question, 9 00:00:26,290 --> 00:00:29,710 how can we join a Windows Server virtual machine running in 10 00:00:29,710 --> 00:00:33,000 Azure to our Azure Active Directory tenant? Now this is a 11 00:00:33,000 --> 00:00:36,920 special case scenario. Azure AD does have some mobile device 12 00:00:36,920 --> 00:00:39,110 management, or MDM, capabilities, 13 00:00:39,110 --> 00:00:43,220 but it's intended mainly for endpoint management, in other words, 14 00:00:43,220 --> 00:00:44,820 Windows 10 devices. 15 00:00:44,820 --> 00:00:49,200 And even actually, if you're using Microsoft Intune, you can bring in iOS 16 00:00:49,200 --> 00:00:53,650 devices and Android devices. But in terms of your Azure servers, 17 00:00:53,650 --> 00:00:56,280 you probably aren't going to have administrators signing 18 00:00:56,280 --> 00:00:59,170 in interactively those servers, so mobile device 19 00:00:59,170 --> 00:01:00,850 management is kind of a moot point. 20 00:01:00,850 --> 00:01:06,590 However, you can in Azure perform an Azure AD sign‑in to your Windows Server 21 00:01:06,590 --> 00:01:10,350 Azure VMs. There's a couple ways you can implement that. One, what you see on 22 00:01:10,350 --> 00:01:13,070 this slide is during virtual machine creation, 23 00:01:13,070 --> 00:01:15,050 you can, in the portal anyway, 24 00:01:15,050 --> 00:01:19,880 click the checkbox Login with Azure AD. Now notice, it says in the yellow 25 00:01:19,880 --> 00:01:23,660 highlight RBAC role assignment is going to be required in order for your 26 00:01:23,660 --> 00:01:28,340 administrators to sign into the VM with Azure AD credentials. 27 00:01:28,340 --> 00:01:31,130 And also another requirement you see up above where it says 28 00:01:31,130 --> 00:01:35,190 Identity, System managed Identity must be on to log on with 29 00:01:35,190 --> 00:01:36,800 Azure AD credentials. Now first, 30 00:01:36,800 --> 00:01:41,290 let me actually take a step back yet again and ask why are you interested in 31 00:01:41,290 --> 00:01:46,940 signing into an Azure VM with an Azure AD credential? This is not a case where 32 00:01:46,940 --> 00:01:51,200 you're mixing and matching local Active Directory with Azure Active Directory. 33 00:01:51,200 --> 00:01:52,870 I want to be really clear about that. 34 00:01:52,870 --> 00:01:57,070 So this particular model would be for cloud‑first Windows 35 00:01:57,070 --> 00:02:00,790 Server Azure VMs, on which you want your people, 36 00:02:00,790 --> 00:02:05,250 whoever those administrators or developers or people are, to be able to sign 37 00:02:05,250 --> 00:02:09,740 into those VMs, either as a standard user or as an administrator using not 38 00:02:09,740 --> 00:02:12,320 local credentials, but Azure AD credentials. 39 00:02:12,320 --> 00:02:16,450 That's the specific use case we're talking about here, okay? Now another 40 00:02:16,450 --> 00:02:20,670 opportunity or another point to consider that's actually a requirement besides 41 00:02:20,670 --> 00:02:26,580 loading the extension that joins the Azure server to Azure AD, as I mentioned in 42 00:02:26,580 --> 00:02:28,900 the previous slide in that little point there, 43 00:02:28,900 --> 00:02:32,470 there are two built‑in RBAC roles that are required. 44 00:02:32,470 --> 00:02:36,430 You have to be actually assigned one or both of these roles. 45 00:02:36,430 --> 00:02:41,090 It's Virtual Machine Administrator Login or Virtual Machine User Login. 46 00:02:41,090 --> 00:02:46,800 So this means that just enabling a Windows Server Azure VM for Azure AD 47 00:02:46,800 --> 00:02:50,250 sign‑in will not get you there. Even if you're a subscription owner, if 48 00:02:50,250 --> 00:02:54,550 you have top‑tier permissions on the VM, in order to sign into that VM 49 00:02:54,550 --> 00:02:55,980 with Azure AD credentials, 50 00:02:55,980 --> 00:03:00,180 you would also need to be assigned the Virtual Machine Administrator Login if 51 00:03:00,180 --> 00:03:04,770 you want to sign in as a local administrator or Virtual Machine User Login if 52 00:03:04,770 --> 00:03:08,350 you want to sign in as a standard user. It's important. Now I also want you to 53 00:03:08,350 --> 00:03:10,360 see here in this portal screenshot, 54 00:03:10,360 --> 00:03:13,950 there's a third built‑in role, and this is an exam alert. You need to be 55 00:03:13,950 --> 00:03:17,170 straight on this before you take your AZ‑800 exam. 56 00:03:17,170 --> 00:03:21,470 There's a built‑in virtual machine contributor role as well, and that has 57 00:03:21,470 --> 00:03:24,730 nothing to do with sign‑in. In fact, it's just the opposite. 58 00:03:24,730 --> 00:03:28,200 You would assign the virtual machine contributor built‑in RBAC 59 00:03:28,200 --> 00:03:32,290 role to administrators that will manage the VM resource in Azure 60 00:03:32,290 --> 00:03:37,400 who would have permissions to start, stop, and restart the VM, run backup jobs, 61 00:03:37,400 --> 00:03:42,910 resize the VM, but they would not have any privileges to sign into the VM. 62 00:03:42,910 --> 00:03:46,820 So there's a separation of duties there between the control plane 63 00:03:46,820 --> 00:03:51,000 and data plane, and that's as it should be, in my humble opinion.