Citrix provisioning on Azure leverages MCS (Machine Creation Services).  XenApp and Xendesktop workers and other components require to be joined to an Active Directory Domain using Kerberos authentication.  This is because they require:

  • Computer accounts
  • Machine provisioning (New machines) 
  • User associated permissions
  • Pass-through authentication using Kerberos to Resources (MCS Requires Kerberos)

Therefore, Azure AD cannot be used to MCS provision Citrix Machines within Azure.  Instead, configure Azure AD Domains Services or Full AS in Azure if you wish to leverage MCS provisioning within Workspace Cloud. 

Azure AD is primarily used to authenticate against cloud SAAS services, such as Office365 etc.  You can synchronise your AD with Azure AD so that users have one set of credentials (AD Connect).  However Azure AD is not the same as Azure AD Domain Services.  Azure AD has the following restrictions:

  • You can’t join a server  (You can Azure AD Join)
  • You can’t join a Computer.  Although,  you can use Azure AD join and control them with the likes of MS InTune. Devices such as IOS, Android and MAC OS can be Azure AD Registered.
  • No  Group Policy
  • No LDAP, NTLM or Kerberos
  • Offers only a flat directory structure with no OU’s or Forests

MCS provisioned machines require to be domain joined and leverage Kerberos authentication, therefore at present, you will need Azure AD Domain Services.