Azure AD Domain Services does not yet very well documented but from existing documentation and Swagger API specification we can find a way for Azure AD Domain Services creation with enabled LDAPS.
Azure AD Domain Services (Azure AD DS, AAD DS) Swagger REST API specification: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/domainservices/resource-manager/Microsoft.AAD/stable/2017-06-01/domainservices.json
az resource create --subscription [subscriotion-id] \
--resource-group [resource-group-name] \
--name [managed-domain-name] \
--resource-type 'Microsoft.AAD/DomainServices' \
--properties <<EOF
{
"DomainName" : "[managed-domain-name]" ,
"SubnetId" : "[subnet-id]”,
"domainSecuritySettings": {
"ntlmV1": "Enabled",
"tlsV1": "Disabled",
"syncNtlmPasswords": "Enabled"
},
"ldapsSettings" : {
"ldaps": "Enabled",
"pfxCertificate": "[pfx-content-inbase64]”,
"pfxCertificatePassword": "[pfx-password]",
"externalAccess": "Disabled"
}
}
EOF
My issue on GitHub for the documentation update: https://github.com/MicrosoftDocs/azure-docs/issues/40480#issuecomment-540573164