Table of Contents
- Introduction
- Prerequisites and Planning
- Step 1: Preparing Azure Local and Azure Local SDN
- Step 2: Initial Entra ID Setup
- Step 3: Network Requirements and Best Practices
- Step 4: Integrating Entra ID with Azure Local
- Step 5: Hands-On Configuration with Portal, PowerShell, and Bicep
- Step 6: Validating and Testing the Integration
- Troubleshooting and Common Pitfalls
- Conclusion
Introduction
Hybrid identity is foundational to modern cloud and edge deployments. Microsoft Entra ID (formerly Azure AD) provides secure identity services for both cloud and hybrid environments. Integrating Entra ID with Azure Local (formerly Azure Stack HCI) and Azure Local SDN enables seamless authentication, conditional access, and centralized policy enforcement for on-premises and hybrid workloads.
This guide will walk you through a practical, step-by-step process to connect Entra ID with Azure Local and configure networking with Azure Local SDN, supporting scenarios from lab environments to enterprise-grade deployments.
Prerequisites and Planning
Before beginning, confirm the following:
- Azure Local / Azure Stack HCI cluster deployed and operational.
- Azure Local SDN (Software Defined Networking) enabled.
- Access to an Azure subscription with Entra ID tenant admin rights.
- Sufficient network connectivity between your on-premises cluster and Azure public cloud.
- PowerShell 7+ and Azure CLI installed on your admin workstation.
- Windows Admin Center access for GUI-driven tasks.
Optional: Familiarity with Bicep, ARM templates, and Azure Portal.
Step 1: Preparing Azure Local and Azure Local SDN
1.1. Update and Validate Environment
- Update Azure Local (HCI) to the latest cumulative update.
- Validate SDN stack is running with all required components: Network Controller, SLB, Gateways, and MUX VMs.
# Example: Validate SDN Services
Get-NetworkController | Select Name, State
Get-SdnService
1.2. Network Segmentation and Naming
- Plan separate SDN logical networks for management, compute, and identity services.
- Document all VLANs, subnets, and gateways to avoid overlapping IP spaces.
Step 2: Initial Entra ID Setup
2.1. Review Tenant and Directory Structure
- Confirm you have an Entra ID tenant ready for integration.
- Create or select an Organizational Unit (OU) for Azure Local servers if using Entra ID Domain Services (Entra ID DS).
2.2. Enable Entra Hybrid Join
- In Entra ID Portal, go to Devices > Device Settings.
- Set “Users may join devices to Azure AD” to “All.”
- Enable Hybrid Azure AD Join via Azure AD Connect if needed for Windows Server nodes.
2.3. Register Azure Local HCI with Entra
# Register Azure Stack HCI with Azure (if not already registered)
Register-AzStackHCI -SubscriptionId "<your-subscription-id>" -Region "<region>"
Or use Windows Admin Center to connect and register.
Step 3: Network Requirements and Best Practices
3.1. Required Ports and Protocols
Ensure the following ports are open from Azure Local to Entra ID and Azure endpoints:
| Protocol | Port(s) | Direction | Purpose |
|---|---|---|---|
| HTTPS | 443 | Outbound | Entra, Azure Resource Manager |
| LDAP/S | 636 | Outbound | Entra Domain Services (optional) |
| Kerberos | 88 | Bidirect. | Authentication (hybrid) |
| DNS | 53 | Bidirect. | Name resolution |
- Ensure no SDN security policy (NSG, firewall) blocks these ports.
- If using Private Link or custom DNS, validate name resolution for
*.entra.microsoft.comand Azure endpoints.
3.2. SDN Best Practices
- Use SDN Express for baseline automation.
- Segment identity workloads in their own SDN subnet.
- Apply NSG rules to restrict admin access.
- Use Software Load Balancer (SLB) for domain join and management endpoints.
Step 4: Integrating Entra ID with Azure Local
4.1. Identity Integration Methods
Choose your scenario:
- Cloud-Only: Azure Local HCI nodes join directly to Entra ID.
- Hybrid: Nodes join on-premises AD synced to Entra ID via Azure AD Connect or Entra Connect.
4.1.1. Cloud-Only Join
- Use Entra ID Join wizard in Windows Admin Center.
- Or via Settings on each node: Accounts > Access work or school > Connect.
4.1.2. Hybrid Join
- Install and configure Azure AD Connect or Entra Connect.
- Select OU containing Azure Local HCI nodes.
- Sync device objects to Entra ID.
Step 5: Hands-On Configuration with Portal, PowerShell, and Bicep
5.1. Portal Steps
- Register HCI Cluster in Azure Portal:
- Go to Azure Portal > Azure Stack HCI.
- Click “Register” and follow prompts.
- Verify Device Registration:
- Azure Portal > Entra ID > Devices.
- Confirm Azure Local nodes are listed.
- Enable Conditional Access (Optional):
- Entra ID > Security > Conditional Access.
- Create policy for Azure Local device group.
5.2. PowerShell Automation
# Hybrid Join using PowerShell
Install-Module -Name AzureAD
Connect-AzureAD
# Add device to Entra ID (if not using portal)
Add-AzureADDevice -DisplayName "AzureLocalHCI-Node1"
# Validate domain join status
dsregcmd /status
5.3. Bicep Example: SDN VNet/NSG for Entra
resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' = {
name: 'AzureLocal-Entra-vnet'
location: resourceGroup().location
properties: {
addressSpace: { addressPrefixes: [ '10.1.0.0/16' ] }
subnets: [
{
name: 'EntraSubnet'
properties: { addressPrefix: '10.1.1.0/24' }
}
]
}
}
resource nsg 'Microsoft.Network/networkSecurityGroups@2021-05-01' = {
name: 'EntraSubnet-NSG'
location: resourceGroup().location
properties: {
securityRules: [
{
name: 'AllowEntra'
properties: {
priority: 100
direction: 'Inbound'
access: 'Allow'
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '443'
sourceAddressPrefix: '*'
destinationAddressPrefix: '10.1.1.0/24'
}
}
]
}
}
Step 6: Validating and Testing the Integration
- Check Device Status in Entra Portal:
- Devices appear as “Hybrid Azure AD joined” or “Azure AD joined.”
- Login Test:
- Log in to an Azure Local node using Entra credentials.
- Validate single sign-on (SSO) to Azure resources.
- Network Verification:
- Use PowerShell to confirm network connectivity to Entra ID and Azure endpoints.
Test-NetConnection entra.microsoft.com -Port 443
- Policy Validation:
- Apply a Conditional Access policy.
- Attempt login from an untrusted IP to verify enforcement.
Troubleshooting and Common Pitfalls
| Symptom | Root Cause | Fix |
|---|---|---|
| Devices not appearing in Entra | Sync or registration issue | Re-run Azure AD Connect sync, check device OUs |
| SSO failures | DNS, time sync, or port block | Validate network config and clock synchronization |
| Hybrid join fails | Incorrect OU or permissions | Confirm AD permissions and OU selection |
| Network timeouts | SDN/NSG rule misconfiguration | Check all NSG/SLB/firewall rules |
Conclusion
Integrating Microsoft Entra ID with Azure Local and Azure Local SDN unlocks powerful hybrid identity capabilities, enabling secure authentication and granular network control for edge and datacenter workloads. With proper planning and best-practice configuration, organizations can deliver seamless user experiences while maintaining centralized policy and security. Use automation wherever possible to streamline future deployments and ensure compliance.
Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Microsoft, my employer or any affiliated organization. Always refer to the official Microsoft documentation before production deployment.
In today’s digital landscape, securing data platforms extends far beyond simple firewalls and traditional network segmentation. As hybrid and on-premises architectures become...