Submit a request

Nerdio Help Center

Nerdio NFA QuickStart Guide

Applies to : Nerdio for Azure (NFA) Managed Service Partners (MSPs)

This quick start helps you understand basic terminologies used in setting up and using Nerdio for Azure (NFA) accounts: 


Azure subscriptions have a core quota limit imposed by Microsoft ( All Azure subscriptions have quotas by VM series. Ensure that your subscription has sufficient core quota to provision a new NFA account.  If it doesn’t, please request an increase from Microsoft or your CSP provider (  You can find more information about core quotas while provisioning an NFA account:




Global admins

Both Azure and Office 365 subscriptions require a user account with global admin privileges to integrate with Nerdio.  Additionally, for Azure, the account being used with Nerdio needs to be an owner in the subscription.  It is best, but not required, to use a user account that has as its domain.  If such a user account doesn’t exist you can create one in the Azure portal, make it a global admin and assign it the Owner role on the Azure subscription ( 

During the provisioning process Nerdio will create two new system admin accounts:


These accounts must not have MFA enabled or you must add the NAP IP range as a trusted location.  See for more information.


bulletpoint Both Azure and Office 365 Subscriptions require an account with global admin privileges to integrate with Nerdio

A change or removal of global admin users that were part of Nerdio provisioning will impact the operation of the Nerdio Admin Portal (NAP).


Production vs non-production

We highly recommend being a signed partner before moving a prospect or client into production environment with Nerdio.  This rule also applies to Trial accounts. We strongly recommend not using a trial subscription as a production environment with a client

Resource Group (RG)

A resource group is a container that holds related resources for an Azure solution. In Azure, you logically group related resources such as storage accounts, virtual networks, and virtual machines (VMs) to deploy and manage them.  The default resource group name for NFA is “NerdioRG”, although you can change this default name during provisioning on the Add NFA Account screen.

bulletpoint Anything in the resource group that was created by Nerdio should not be removed. Everything that is in there is needed.


A new Nerdio for Azure deployment always starts out as Greenfield, meaning that it is completely independent of anything that existed previously both in Azure or on-prem and cannot interfere with any production environment.  Once the new NFA environment is provisioned and tested, it can be “plugged” into an existing production environment by using the Hybrid AD feature (see below) or users can be imported into the Greenfield AD from an existing AD or Office 365 Azure AD.  Every common directory migration path can be accommodated with NFA.

Importing users from Office 365 -

Hybrid AD

Hybrid AD is an advanced Nerdio feature that allows an existing Active Directory (AD) to be connected to and managed by the Nerdio Admin Portal (NAP). Hybrid AD is typically used when an organization wants to retain its existing Active Directory deployment and has no plans to create a fresh AD instance in the cloud. Hybrid AD allows the existing AD to be extended into the Nerdio deployment to leverage Nerdio capabilities within the existing AD.


Hybrid AD:


  • Logo
    • The height of the logo image will be constrained to a maximum of 65 px.
      Also, it is recommended to use an image with a 120 px width and transparent background (png is the preferred format).
  • Site icon (favicon)
    • The height of the favicon image will be constrained to a maximum of 16 px.
      Also, it is recommended to use an image with a 16 px width and transparent background.
  • App name
    • Nerdio Admin Portal will be accessible at and RDP files will be pointing at (where XXXX is a unique Nerdio account ID that gets assigned during provisioning of a new account)

Once the whitelable setup is complete, remember to toggle the ON button.whitelabelenable.JPG

More info -

Domains and AD

  • By default, the Active Directory (AD) domain in a new Nerdio deployment is called  This can be changed during the provisioning process on the Add NFA Account screen.  Once set, this AD forest name cannot be changed.
  • An existing Active Directory (e.g. on-prem) is referred to as "external AD" as it is outside of Nerdio. And is also referred to as “on-prem AD”, “existing AD” or “EAD”.
  • Before you integrate an existing AD with Nerdio ensure that the Office 365 environment is configured to synchronize with the existing AD using the ADConnect tool from Microsoft (  

Best practices

Some of best practices for testing NFA accounts are:

  • Always test with a single user
  • Verify with a single user
  • Only then implement a bulk import


Note: The components mentioned below should not be changed to ensure functionality within the NFA environment:


Administrator on DC01

Do not change the password or disable the domain administrator DC01 in the Nerdio environment.  This particular account is used to manage communication between the environment and the Nerdio Admin Portal.  Please contact support if you have a security or process concerns as a change to this account will affect the operation of the Nerdio environment.

AD Organizational Units (OUs) in Nerdio AD
  • Nerdio is always provisioned with a brand-new Active Directory (AD) forest, fully configured and optimized for a cloud IT deployment. The name of the Nerdio AD is, but it can be changed during the provisioning process.
  • Nerdio stores all user and group objects in an OU called “Users and Groups”.  The Nerdio Admin Portal (NAP) will have visibility of items inside of this OU or any of its sub-OUs.
  • You can create your own OUs within Active Directory to assign group policies & manage resources like users, computers or groups, etc.  However, be sure that all sub-OUs are created under “Users and Groups” OU.

System Objects OUs


Do NOT make any changes to objects within the “System Objects” OU in AD.  Doing so can cause the Nerdio Admin Portal to lose connectivity with the environment.

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.  Azure recommends route-based VPN connections (IKEv2) but support for policy based connections is available (
Was this article helpful?
0 out of 0 found this helpful


Please sign in to leave a comment.