Step-By-Step: Enabling the Lightweight Directory Access Protocol on an Azure AD Managed Domain

In Active Directory environment, the Lightweight Directory Access Protocol (LDAP) is responsible for reading and writing data from AD. By default, the LDAP traffic is transmitted in and unsecure format. You can secured this by transmitting based on SSL. When you have a hybrid or cloud only setup this is important. The idea behind this post is to demonstrate how to enable a secure LDAP on Azure AD managed domain.

There is few prerequisite required to perform this task.

1)    Azure AD Domain Service – Azure AD domain service must be enabled and configured with all prerequisite. If you need any help over please refer to my last few posts which explain how to configure.
2)    SSL Certificate – It is need to have valid SSL certificate and it need to be from valid certificate authority such as public certificate authority, enterprise certificate authority. Also you can still use self-sign SSL certificate.

In my demo,
1)    I have already configured a Azure AD managed domain and running with active subscription


2)    I got an Azure VM connected to Azure managed domain and I will be using it to demonstrate to enable Secure LDAP.
3)    I am going to use self-signed certificate to create the secure LDAP

Create self-signed certificate

1)    Log in to domain joined server, or PC and open windows power-shell session as administrator.
2)    Execute following

New-SelfSignedCertificate -Subject * -NotAfter $validtill.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *

In here you can replace with your managed domain name.

This will generate the self-sign certificate.


Export the SSL Certificate

Now we have the certificate, but we need to export it to use to enable secure LDAP.
1)    Log in to the PC or Server which generated certificate as administrator
2)    Go to run > mmc


3)    File > Add/remove Snap-in


4)    Select Certificates and click on button Add


5)    Then select the Computer Account and click next


6)    Select local computer and click on finish


7)    Click on OK to open the certificate mmc


8)    Then in console go to Personal > Certificates and you can see the new self-signed certificate we just created in previous step


9)    Right click on the certificate and click on All tasks > export


10)    Then its start the certificate export wizard, click on next to start


11)    In this window select option “Yes, export the private key” and click on next
12)    Leave the .pfx option selected and click next


13)    In next window define a password and click on next


14)    Then define the location to save the file and click on next


15)    Click on finish to complete the export process


Enable Secure LDAP

Now we got the SSL exported and ready. Now it’s time to enable the secure LDAP.
1)    Log in to the azure portal and load the Azure Domain Services configuration page for your relevant directory


2)    Then to the domain service section and click on “configure certificate” button


3)    Then brows for the .pfx file we just exported and provide the password, then click ok to proceed


4)    After few minutes we can see the secure LDAP is enabled


5)    The next step is to enable the secure LDAP connection over the internet for your managed domain. For that click on the “Yes” for the option “Enable secure LDAP access over the internet” and the click save



6)    After few minute we can see the feature is enabled and also displaying the public ip address which can use on this.


7)    If you wish to use secure ldap over the internet you need to create DNS entry in your dns provider and create A record to point domain to the public ip address its given.

Comments (4)
  1. tony says:

    Preface to the question we are an 0365/azure entity with a custom domain with ad sync.

    Quick question if you don’t mind since in your case you have a onmicrosoft domain your dns A record points to in this case the ip is and is your authenticating domain but in our case we have a custom domain lets say its called but in our case that has a an A record pointing to something else. Hopefully we can as an example use with the A record pointing to the appropriate IP. My gut feeling is that is not allowed and that it must be with no subdomain since that’s our authenticating domain name.

    Please tell me I’m completely wrong about this!!

    1. Ivan says:

      You can add DNS record for and it will work as long as your certificate was generated for *

  2. Leif Lagebrand says:

    It I want to restrict my LDAP over the Internet to just a few IP addresses, what the best way to do it? Some sort of whitelist.

    1. Ivan says:

      I was wondering over the same question, but so far no answer I have found.

Comments are closed.

Skip to main content