Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) solves a persistent problem in cloud migration: legacy applications that require Kerberos authentication, LDAP queries, NTLM, or Group Policy cannot be moved to Azure IaaS without domain controller infrastructure. Entra Domain Services eliminates the need to manage domain controllers in Azure while providing full AD-compatible services. At $82–$328/month for a managed domain (depending on object count), it is significantly cheaper than running two Windows Server VMs as domain controllers — and entirely eliminates the patching and availability management burden. Understanding the pricing model is essential before committing to an Azure IaaS migration strategy.
Independent Advisory. Zero Vendor Bias.
500+ Microsoft EA engagements. $2.1B in managed spend. 32% average cost reduction. We negotiate on your behalf — never Microsoft's.
View Advisory Services →Entra Domain Services SKU Pricing
Entra Domain Services is billed as an Azure resource at an hourly rate per managed domain. Unlike user-based licensing, cost is determined by the number of objects (users, groups, computers) synchronised into the managed domain:
| SKU | Object Limit | Hourly Rate | Monthly Cost (730 hrs) | Use Case |
|---|---|---|---|---|
| Standard | Up to 25,000 | $0.1123/hour | ~$82 | Small Azure footprint, single forest |
| Enterprise | Up to 100,000 | $0.2246/hour | ~$164 | Mid-size enterprise, multiple workload types |
| Premium | Up to 500,000 | $0.4492/hour | ~$328 | Large enterprise, complex AD structure |
These rates are per managed domain per region. A high-availability deployment with a replica set in a second Azure region doubles the cost (one replica set carries the same per-hour cost as the primary managed domain). For most mid-size enterprises, a Standard or Enterprise SKU with one replica set costs $164–$328/month — still far below the cost of two Azure VMs running Windows Server with AD DS roles.
Entra Domain Services vs Self-Managed Domain Controllers: TCO Comparison
| Cost Component | Entra Domain Services (Enterprise SKU) | Self-Managed DCs (2 × D4s v3 VMs) |
|---|---|---|
| Compute cost | Included in hourly rate | 2 × ~$140/month = $280/month (1-yr reserved) |
| Windows Server licences | Included | 2 × Windows Server (BYOL via SA or pay-as-you-go ~$100/month) |
| Storage (OS disks) | Included | 2 × P10 disks $19.71/month = ~$40 |
| Patching and maintenance | $0 (Microsoft-managed) | ~$50/month (0.5 hours/month admin time) |
| Availability management | Microsoft SLA 99.9% | Manual HA configuration; availability depends on VM SLA |
| Backup | Included | Azure Backup ~$20/month |
| Total monthly | ~$164 | ~$490 |
Annual saving with Entra Domain Services: approximately $3,900 versus two self-managed Azure DCs. At the Premium SKU with HA replica set, Entra Domain Services ($656/month) still saves approximately $4,000/year versus 4 self-managed DCs required for equivalent coverage in two regions.
Important constraint: Entra Domain Services is a managed service — you cannot modify the schema, create custom attributes, install AD-integrated applications on the domain controllers, or run custom scripts on the DCs. If your workloads require schema extensions (common with Exchange, Skype for Business, or Configuration Manager), Entra Domain Services is not a viable replacement. Evaluate your domain extension requirements before committing to migration.
What Entra Domain Services Provides (and What It Doesn't)
| Capability | Entra Domain Services | Self-Managed AD DS |
|---|---|---|
| Kerberos authentication | ✓ | ✓ |
| NTLM authentication | ✓ | ✓ |
| LDAP queries (read) | ✓ | ✓ |
| LDAP writes (non-schema) | ✓ (limited) | ✓ |
| Group Policy | ✓ (limited GPO editing) | ✓ (full) |
| Domain join for VMs | ✓ | ✓ |
| Schema extensions | ✗ | ✓ |
| Custom AD attributes | ✗ | ✓ |
| Trusts to on-premises domains | One-way only (resource forest) | ✓ (full trust types) |
| RODC (Read-Only DC) | N/A | ✓ |
| AD Certificate Services | ✗ | ✓ |
| Microsoft Azure Hybrid Join | ✓ | ✓ |
Integration with Entra ID: Password Hash Synchronisation
Entra Domain Services synchronises users from Entra ID (and, for hybrid environments, from on-premises AD via Entra Connect). For NTLM and Kerberos to work, password hash synchronisation must be enabled in Entra ID — specifically, the legacy password hash (NTLM hash) synchronisation flag. This has security implications: organisations with strict password hygiene policies should review whether enabling legacy password hash sync is consistent with their security posture.
For cloud-only users (users created directly in Entra ID, never synchronised from on-premises AD), password hashes are generated on first password change after Entra Domain Services is enabled. Users must change their password at least once before they can authenticate via NTLM/Kerberos to domain-joined resources.
Get an Independent Second Opinion
Before you sign your next Microsoft agreement, speak with an adviser who has no commercial relationship with Microsoft.
Request a Consultation →EA and MACC Optimisation for Entra Domain Services
Entra Domain Services is an Azure-billed workload. For organisations with MACC commitments, the spend applies against the MACC balance, effectively earning the MACC discount rate on every hour of Entra Domain Services consumption. At a 15% MACC discount, the Standard SKU cost drops from $82/month to ~$70/month — modest savings but meaningful when aggregated across a multi-domain, multi-region deployment.
For organisations renewing or expanding their Azure EA, include Entra Domain Services as an explicit line item in the MACC commitment forecast. Microsoft's commercial team will credit the projected spend toward MACC qualification thresholds, which can help reach the next MACC discount tier.
One often overlooked negotiation lever: if you are decommissioning on-premises Windows Server licenses as part of an AD DS cloud migration, the Windows Server EA subscription cost reduction creates a negotiating argument for compensating Microsoft on the Azure consumption increase. Present the on-premises cost reduction alongside the Azure consumption increase — this framing often generates flexibility in Azure Reserved Instance pricing adjacent to the Entra Domain Services deployment.
📄 Free Guide: Microsoft Identity & Zero Trust Licensing Guide
Covers Entra Domain Services, Entra ID licensing hierarchy, Zero Trust architecture, and EA negotiation strategy.
Download Free Guide →Related Microsoft Identity Licensing Guides
- Microsoft Identity & Zero Trust Licensing: Complete Guide
- Entra ID P1 vs P2: Feature and Pricing Comparison
- Microsoft Entra Suite Complete Licensing Guide
- Microsoft Entra Private Access Licensing Guide
- Azure Hybrid Benefit: Windows Server Licensing Guide
- Azure Reserved Instances: Cost Optimisation Guide
- Azure MACC Strategy for Enterprise Buyers