Request Demo
Features Use Cases About Documentation Contact Request Demo

Azure AD Domain Services

Connect to Microsoft's managed domain services for hybrid cloud authentication

What's This For?

If you're running Azure AD Domain Services (Azure AD DS), Warden can connect to it just like an on-premises Active Directory. This gives you the best of both worlds - cloud-managed users with traditional LDAP/RADIUS authentication for your network devices.

Azure AD vs Azure AD DS: They're different! Regular Azure AD is the cloud identity service. Azure AD DS adds traditional AD features like LDAP, Kerberos, and domain join. You need Azure AD DS (the "Domain Services" part) for Warden to connect via LDAP.

Before You Start

You'll need:

  • Azure AD DS deployed and running - This is a separate service from regular Azure AD
  • Secure LDAP (LDAPS) enabled - Azure AD DS supports LDAPS on port 636
  • Network path to Azure AD DS - Either via Azure VPN, ExpressRoute, or public LDAPS access
  • A service account - A user in Azure AD that's synced to Azure AD DS

Heads up: Azure AD DS can take 30+ minutes to provision and another 30+ minutes after enabling Secure LDAP. Plan accordingly!

Setting Things Up

Step 1: Enable Secure LDAP in Azure

If you haven't already, enable Secure LDAP on your Azure AD DS instance:

  1. Go to Azure Portal → Your Azure AD DS instance
  2. Navigate to Secure LDAP in the left menu
  3. Toggle Secure LDAP to Enabled
  4. Upload a certificate (must match your managed domain name)
  5. If Warden is outside Azure, enable Allow secure LDAP access over the internet
  6. Wait 15-30 minutes for changes to take effect

Certificate tip: You can use a self-signed certificate for testing, but for production, use a cert from a trusted CA. The certificate CN must match your managed domain name (e.g., *.yourdomain.onmicrosoft.com).

Step 2: Create a Service Account

Warden needs credentials to query the directory:

  1. In Azure Portal, go to Azure Active DirectoryUsers
  2. Create a new user (e.g., svc-warden)
  3. Wait for it to sync to Azure AD DS (up to 30 minutes)
  4. Add the user to the AAD DC Administrators group for read access

Step 3: Configure in Warden

  1. Go to My Providers
  2. Click Add Provider
  3. Select LDAP / Active Directory
Host
Your Azure AD DS managed domain name
Example: yourdomain.onmicrosoft.com
Port
636 (Secure LDAP - the only option for Azure AD DS)
Use TLS/SSL
Yes (required for Azure AD DS)
Bind DN
Your service account UPN
Example: svc-warden@yourdomain.onmicrosoft.com
Bind Password
The service account password
User Base DN
Start of your domain tree
Example: DC=yourdomain,DC=onmicrosoft,DC=com
User Filter
(&(objectClass=user)(objectCategory=person))
Username Attribute
sAMAccountName or userPrincipalName

Using Azure MFA with RADIUS

Want to add Azure MFA to your network authentication? You have two options:

Option 1: NPS Extension (Most Common)

Install the Azure MFA NPS Extension on a Windows Server, then configure Warden to use that NPS server as a RADIUS identity provider.

Important timeout settings: Azure MFA with push notifications needs time for users to respond. Set your timeouts to at least 60 seconds. See our RADIUS timeout guide for details.

Option 2: Conditional Access (Azure AD Premium)

If you're using SAML for authentication, you can leverage Azure AD Conditional Access policies to require MFA for specific apps or conditions.

Troubleshooting

Connection Timeout

What's happening: Warden can't reach Azure AD DS.

Things to check:

  • Is your VPN/ExpressRoute connection active?
  • Check Azure NSG rules - port 636 must be allowed inbound
  • If using internet access, is "Allow secure LDAP access over the internet" enabled?
  • DNS resolution working? Try pinging the managed domain name.

Certificate Error / TLS Failed

What's happening: Warden doesn't trust the Azure AD DS certificate.

Things to check:

  • Using a self-signed cert? Import the CA certificate into Warden's trust store.
  • Certificate expired? Check the expiration date in Azure portal.
  • Hostname mismatch? The cert CN must match the managed domain name.

User Not Found / Bind Failed

What's happening: The service account isn't working or users aren't syncing.

Things to check:

  • Has the user synced to Azure AD DS? This can take up to 30 minutes.
  • Is the user in the AAD DC Administrators group?
  • Try using the UPN format for the bind DN (user@domain.onmicrosoft.com)
  • Check Azure AD DS health in the Azure portal

Azure MFA Push Not Arriving

What's happening: Authentication times out waiting for MFA.

Things to check:

  • Is your RADIUS timeout set to 60+ seconds?
  • Is the user registered for Azure MFA?
  • Check the Azure AD sign-in logs for errors
  • Verify the NPS extension is configured correctly

Security Best Practices

  • Use a dedicated service account - Don't use admin or personal accounts
  • Limit network access - Use NSG rules to restrict LDAPS access to Warden's IP
  • Monitor sign-ins - Azure AD sign-in logs show all authentication attempts
  • Keep certificates current - Set a reminder to renew before expiration
  • Consider Conditional Access - Add extra security layers with Azure AD Premium

What's Next?

Back to Help Overview