Now generally available, Azure Active Directory Domain Services general availability pricing began on December 1, 2016. The original pricing model, proposed during public preview, included three prices based on number of directory objects: 0–5,000, 5,000–25,000, and 25,000–100,000.
Now Microsoft is combining the first two tiers into a single price point for all directories with under 25,000 objects and lowering the price by 25 percent. If your directory size is under 25,000 objects, you will continue to see usage listed against “S2 Domain Services Hours” on your invoice until December 1, 2016. After that, it will be renamed “S1 Domain Services Hours.” If your directory size is between 25,000 and 100,000 objects, you will see usage listed against “S3 Domain Services Hours” on your invoice until December 1, 2016, after which it will be renamed “S2 Domain Services Hours.”
Password synchronization is mandatory for hybrid organizations to use Azure AD Domain Services. This requirement is because users’ credentials are needed in the managed domain provided by Azure AD Domain Services, to authenticate these users via NTLM or Kerberos authentication methods.
This feature enables users to sign in to the domain using their corporate credentials – for example, when connecting remotely to machines joined to the domain via Remote Desktop. Administrators can provision access to resources in the domain using existing group memberships. Applications deployed in virtual machines on the virtual network can use features like domain join, LDAP read, LDAP bind, NTLM and Kerberos authentication, and Group Policy.
A few salient aspects of the managed domain that is provisioned by Azure AD Domain Services are as follows:
- The managed domain is a stand-alone domain. It is not an extension of customer’s on-premises domain.
- Customer’s IT administrator does not need to manage, patch, or monitor domain controllers for this managed domain.
- There is no need to manage AD replication to this domain. User accounts, group memberships, and credentials from customer’s on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.
- Since the domain is managed by Azure AD Domain Services, customer’s IT administrator does not have Domain Administrator or Enterprise Administrator privileges on this domain.