Forum Discussion

experi18's avatar
experi18
Brass Contributor
Oct 05, 2023
Solved

Azure CLI to join a domain

Hi, wich parameters should I add into my script to create Azure VM (Via CLI) in order to automatically join my domain?
  • KennethML's avatar
    KennethML
    Apr 24, 2024

    experi18 

    It works the same way whether you use Bash (Az CLI) or Powershell. I don't use Az CLI a lot, so I don't know the commands and parameters.

     

    The OUPath parameter is doing exactly that.

KennethML's avatar
KennethML
Iron Contributor
Apr 15, 2024

Obviously, you cannot do it before it is created 🙂

If you deploy the VM using a template (e.g. ARM) you can add a JsonADDomainExtension resource to the template and the VM will be joined to AD Domain when it is created. You can also use Powershell or CLI to add the extension to the VM after creation.

You cannot do it using the Run Command feature in Azure portal as the script will run in Local System context and will (hopefully) not have permissions to join the domain.

experi18's avatar
experi18
Brass Contributor
Apr 17, 2024

KennethML oh yeah, sure, it is not possible before it is created hehehe

But I mean, in the proccess of the creation of the machine, is it possible that after the creation, the machine is already into the domain?

  • KennethML's avatar
    KennethML
    Iron Contributor
    Apr 23, 2024
    Hi again.
    If you deploy using template (ARM/Bicep/Terraform) the VM will be domain joined when the deployment is done.

    If you add the extension to the VM using PowerShell or CLI, you will need to run the command after VM is created.

    Hope it makes sense.
    • experi18's avatar
      experi18
      Brass Contributor
      Apr 24, 2024

      KennethML

      Thanks for the response my friend.
      I still have some questions:

       

      1 - Do you haver an example of code or something using (ARM/Bicep/Terraform) that joins the VM automatically to a domain?
      2 - Is it possible for me to do it, but just using PowerShell Scripts in order to create VMs? That's the way I'm doing it right now.
      3 - When I'm creating a VM on advanced tab, extensions. Is it possible for me to add a Machine into the Domain, over there?

       

       

      • KennethML's avatar
        KennethML
        Iron Contributor
        Apr 24, 2024

        Hi experi18 

        2: If you use Powershell script to create the VM, like New-AzVm, you can add the Set-AzVMADDomainExtension cmdlet to the script (https://learn.microsoft.com/en-us/powershell/module/az.compute/set-azvmaddomainextension?view=azps-11.5.0). You need to add a credential object that has the ability to join a computer to the domain, I often use a service account with a secret in a Key Vault, which I can use from deployment API, you can also get the secret from a Key Vault with Powershell and use that.

         

        1: ARM template for domain joining a VM named "vm-name" is this:

         

        {
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "apiVersion": "2022-08-01",
  "name": "[concat('vm-name', '/joindomain')]",
  "location": "[resourceGroup().location]",
  "dependsOn": [
    "[resourceId('Microsoft.Compute/virtualMachines', 'vm-name')]"
  ],
  "properties": {
    "publisher": "Microsoft.Compute",
    "type": "JsonADDomainExtension",
    "typeHandlerVersion": "1.3",
    "autoUpgradeMinorVersion": true,
    "settings": {
      "Name": "[parameters('domainToJoin')]", // contoso.com
      "OUPath": "[parameters('ouPath')]", // OU=servers,DC=contoso,DC=com
      "User": "[concat(parameters('domainToJoin'),'\\',parameters('adminUsername'))]", // contoso.com\\svc-vm-ad-join-account
      "Restart": "true",
      "Options": "3"
    },
    "protectedSettings": {
      "Password": "[parameters('adminPassword')]"
    }
  }
}

         

        3: It doesn't seem to be possible to add the AdDomainJoin extension from the portal.       
         
        Hope it makes sense.
         

Resources