Can I replace my domain controller with Azure Active Directory? [duplicate]

active-directory azure

I currently have a small network with a few servers and about 25 client PCs. We are using Office365 and have AD synchronisation setup from our on-premise server. We also have single-sign-on setup using ADFS.

We have recently replaced all but 2 of our servers with Azure virtual machines.

The only thing we now use our internal servers for is the Active Directory and ADFS.

So - my question is this... Can I setup an Azure Active Directory, sync my on-premise directory to it, get Office365 to talk to the Azure Active Directory and then decommission my on-premise servers?

Will my local client PCs authenticate against the Azure Active Directory?

If the answer is, "Yes" - any suggestions for how to achieve this would be great. If the answer is, "No" - some information on why not would be great!

Thanks!


Short Answer: No

Longer Answer: Local clients cannot communicate with an Azure AD instance directly. Your client PCs will not be able to use it for logon authentication. Azure Active Directory is not meant to be a replacement for on-prem Active Directory, it's simply a way to provide directory services to other services in your Azure tenant, such as O365 or Intune.

Edit: This answer is no longer 100% accurate. With Azure AD Join for Windows 10, you can use Azure AD for logon authentication and conditional access as well as automatic enrollment into Intune for policy management. So while Azure AD Join isn't appropriate for most organizations, it's great for highly-mobile companies or companies that may want some enhanced management for BYOD devices.


Even Longer Answer: Like MDMArra says in his answer, local clients can't currently authenticate with Azure Active Directory (e.g. they can't domain-join). Based on your questions/comments, I believe you might be interested in a couple possibilities:

Run Directory Sync with Password Sync (you might already be doing this). This way, Office 365 (and other online services) will authenticate against AAD, while your on-premises apps and clients can continue to authenticate against the on-premises AD.

If you really trust your network connection, you can also set up a site-to-site Azure Virtual Network from your premises to Azure, and move AD and ADFS to virtual machines in Azure. If you choose to go down this path, I strongly recommend you read up on Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines. (Note: in this case you can continue to use Directory Sync with AD on an Azure VM just like you do now.)

Related

How do I update a system from CentOS 7 to CentOS 8?
Putting a process in the background without stopping it - (ctrl+z)? [closed]
Test if nginx variable is set
Is it possible to force Re-creation of EC2::Instance or RDS::DBInstance in amazon cloudformation?
VMware Snapshot Longer than 3 days
How do I set up an sftp user to login with a password to an EC2 ubuntu server?
What does the ".NET Framework Version" setting in IIS actually do?
How to set up port forwarding on Amazon EC2
How many sub-domains can there be at most?
Looking for a unique GUID to identify a Windows installation
chsh: PAM authentication failed
Redirect a subpath to a external host with Nginx