How to deploy Microsoft Entra Domain Services within Landing Zone Architecture

[rheight-sav]

There is good documentation around the Identity and Access Management landing zone, but there aren't any examples I can find of how you would actually implement a deployment like that (in Terraform or otherwise).

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#identity-and-access-management-in-azure-landing-zones

Does anyone have any working examples how how they have done Microsoft Entra Domain Service integration within the Landing Zone Architecture?

[chrismacias06]

I have the same thoughts. I would like to deploy Microsoft Entra Domain Services in a dedicated Identity Subscription via terraform. I also want to have a connectivity (transit vnet) using virtual wan in a seperate management group and subscription. I want to make sure traffic can traverse from Identity --> Connectivity --> Corp or Online application in a global manner with low latency.

[a-ariff]

Microsoft’s Cloud Adoption Framework (CAF) recommends placing identity services such as Microsoft Entra Domain Services in a dedicated “identity” subscription and virtual network, then integrating that network with your hub and workload VNets. There isn’t a ready‑made Terraform module in the enterprise‑scale repo, but the deployment pattern is straightforward:

• Create a separate identity subscription and a virtual network with at least one subnet for Entra Domain Services.
• Deploy Microsoft Entra Domain Services into that subnet using the Azure portal or the Terraform azurerm_active_directory_domain_service resource. Specify your tenant and domain name.
• Enable synchronization so that user accounts from your Microsoft Entra ID tenant populate the managed domain.
• Peer the identity VNet with your hub/landing‑zone VNet or use a virtual hub so traffic can traverse from workloads to the managed domain. Update DNS settings on workload VNets to point to the Entra Domain Services IP addresses.
• Optionally link a private DNS zone to the relevant VNets so domain‑joined VMs can resolve domain controller names.

This aligns with the CAF identity and access management design area【170421221927050†L25-L27】. You can adapt the identity subscription module from the enterprise‑scale Terraform samples and then add resources like azurerm_active_directory_domain_service, plus the necessary network peering and DNS configuration, to deploy a complete solution.