Entra Domain Services is not replicated across multiple regions

Reliability · Entra Domain Services · Rule · 2025_06 · Important

Applications or infrastructure relying on a managed domain may fail if the domain is not available.

Description

By default, Microsoft Entra Domain Services (previously Azure AD DS) deploys a replica set in a single region. Which enables applications to use the managed domain for authentication and authorization.

To improve the resiliency and reduce latency of an application using a managed domain, your can deploy a replica set in each region where the application is deployed that also supports Domain Services.

Deploying multiple replica sets in different regions provides resiliency against region failures for this identity service. Even if multiple regions is not required for supporting running applications across multiple regions, it is often a requirement for disaster recovery.

To configure cross-region replication, Domain Services requires a Enterprise or Premium SKU. Additionally, there is some VNET configuration requirements to support cross-region replication. See the documentation links below for more details.

Recommendation

Consider deploying a replica set in two or more regions where applications relying on the managed domain are deployed.

Examples

Configure with Bicep

To deploy domains that pass this rule:

• Updated the properties.replicaSets property to include a replica set in each region where the application is deployed.
• Set the properties.sku property to Enterprise or Premium.

For example:

Azure Bicep snippet

resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    sku: 'Enterprise'
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
    replicaSets: [
      {
        subnetId: primarySubnetId
        location: location
      }
      {
        subnetId: secondarySubnetId
        location: secondaryLocation
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/aad/domain-service:<version>

To use the latest version:

br/public:avm/res/aad/domain-service:0.3.2

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Configure with Azure template

To deploy domains that pass this rule:

• Updated the properties.replicaSets property to include a replica set in each region where the application is deployed.
• Set the properties.sku property to Enterprise or Premium.

For example:

Azure Template snippet

{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": "Enterprise",
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    },
    "replicaSets": [
      {
        "subnetId": "[parameters('primarySubnetId')]",
        "location": "[parameters('location')]"
      },
      {
        "subnetId": "[parameters('secondarySubnetId')]",
        "location": "[parameters('secondaryLocation')]"
      }
    ]
  }
}

Links

• RE:05 High-availability multi-region design
• Replica sets concepts and features for Microsoft Entra Domain Services
• Tutorial: Create and use replica sets for resiliency or geolocation in Microsoft Entra Domain Services
• Tutorial: Perform a disaster recovery drill using replica sets in Microsoft Entra Domain Services
• Change the SKU for an existing Microsoft Entra Domain Services managed domain
• Azure Proactive Resiliency Library v2
• Azure deployment reference

Comments