Skip to content

Entra Domain Services replica location is not allowed#

Security · Entra Domain Services · Rule · 2025_06 · Important

The location of a replica set determines the country or region where the data is stored and processed.

Description#

Azure supports deployment to many locations around the world called regions. Many organizations have requirements or legal obligations that limit where data can be stored or processed. This is commonly known as data residency.

Entra managed domains are deployed into a primary region and can be additionally replicated to additional regions. Each of these regions is called a replica set. The replica set hold directory data which is stored, processed, and subject to local legal requirements in that region.

To align with your organizational requirements, you may choose to limit the regions that replica sets can be deployed to. This allows you to ensure that resources are deployed to regions that meet your data residency requirements.

Some resources, particularly those related to preview services or features, may not be available in all regions.

Recommendation#

Consider deploying Entra ID Domain Service replicas to allowed regions to align with your organizational requirements. Also consider using Azure Policy to enforce allowed regions at runtime.

Examples#

Configure with Bicep#

To deploy domains that pass this rule:

  • Set the location property of each replica set specified in properties.replicaSets to an allowed region.

For example:

Azure Bicep snippet
resource ds 'Microsoft.AAD/domainServices@2022-12-01' = {
  name: name
  location: location
  properties: {
    sku: 'Enterprise'
    ldapsSettings: {
      ldaps: 'Enabled'
    }
    domainSecuritySettings: {
      ntlmV1: 'Disabled'
      tlsV1: 'Disabled'
      kerberosRc4Encryption: 'Disabled'
    }
    replicaSets: [
      {
        subnetId: primarySubnetId
        location: location
      }
      {
        subnetId: secondarySubnetId
        location: secondaryLocation
      }
    ]
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/aad/domain-service:<version>

To use the latest version:

br/public:avm/res/aad/domain-service:0.3.2

Configure with Azure template#

To deploy domains that pass this rule:

  • Set the location property of each replica set specified in properties.replicaSets to an allowed region.

For example:

Azure Template snippet
{
  "type": "Microsoft.AAD/domainServices",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": "Enterprise",
    "ldapsSettings": {
      "ldaps": "Enabled"
    },
    "domainSecuritySettings": {
      "ntlmV1": "Disabled",
      "tlsV1": "Disabled",
      "kerberosRc4Encryption": "Disabled"
    },
    "replicaSets": [
      {
        "subnetId": "[parameters('primarySubnetId')]",
        "location": "[parameters('location')]"
      },
      {
        "subnetId": "[parameters('secondarySubnetId')]",
        "location": "[parameters('secondaryLocation')]"
      }
    ]
  }
}

Notes#

This rule requires one or more allowed regions to be configured. By default, all regions are allowed.

Rule configuration#

AZURE_RESOURCE_ALLOWED_LOCATIONS

To configure this rule set the AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value to a set of allowed regions.

For example:

configuration:
  AZURE_RESOURCE_ALLOWED_LOCATIONS:
  - australiaeast
  - australiasoutheast

If you configure this AZURE_RESOURCE_ALLOWED_LOCATIONS configuration value, also consider setting AZURE_RESOURCE_GROUP the configuration value to when resources use the location of the resource group.

For example:

configuration:
  AZURE_RESOURCE_GROUP:
    location: australiaeast

Comments