Remove AADDS but allow Azure AD joined end user devices to remain connected

Question

We had an AVD (Azure Virtual Desktop) environment setup that end users were connecting to and using in a shared remote setup. As part of that setup we deployed AADDS (now Microsoft Entra Domain Services). We did not need or want to have traditional Active Directory servers setup for patching, etc. We had no on-premise Active Directory or server infrastructure either. The AVD images and Hosts were joined to the AADDS since Azure allows servers housed in Azure to be joined to the Azure AD through AADDS as I understood it.

All end user devices were joined (Windows 11 Pro) to the Azure AD/Entra ID so devices would be managed though Azure AD/Microsoft 365 accounts, etc. All users are running Microsoft 365 Business Premium or Microsoft 365 Enterprise Plan 3.

We have since decommissioned the entire AVD environment for a few reasons. So all resources have been deleted pertaining to the AVD hosts, pool, images, storage accounts, etc. What remains are as follows:

AADDS & Network VPN Gateway

We would like to delete these last two items, but specifically the AADDS/Entra Domain Services gives us pause because all of the AVD hosts have been unjoined, decommissioned and deleted, but we don't want to cause issues with the end user devices that were joined directly to Azure AD through the normal Windows 11 Azure AD joining process. What would happen if we delete the multiple AADDS resources from the Resource Group related to AADDS for the end users and their joined devices to Azure AD? Or is that not and issue and the AADDS was only uses as a conduit to allow systems in the Azure tenant (read AVD servers) to be joined to the Azure AD?

Of course my greatest fear is to delete the AADDS resources and all end user laptops then lose their trust/joined status to the Azure AD.

Any help would be greatly appreciated!

Thanks

Tom

Answer 1

Hello @Thomas Reminga,

Thank you for posting your query on Microsoft Q&A.

Based on your description, I understand that you want to know deleting Microsoft Entra Domain services will have any impact on any physical windows 11 devices which are enrolled as Microsoft Entra joined devices in Entra ID. Deleting AADDS (Azure Active Directory Domain Services) should not affect your end-user devices that are directly joined to Azure AD/Microsoft Entra ID.

Microsoft Entra Domain Services provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication.

In your setup, it sounds like AADDS was primarily used to allow your AVD hosts to join the Azure AD environment, which is common for scenarios involving Azure resources that need domain-like functionality. Since you’ve already decommissioned the AVD environment, AADDS is no longer serving that purpose.

End-user devices joined to Azure AD (via the standard Windows 11 process) have no dependency on AADDS. Their trust relationship is directly with Azure AD, not AADDS. So, deleting AADDS won’t break their connection or impact their functionality.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.