Many organizations are transitioning from traditional on-premise Active Directory setups to cloud-based solutions. In this scenario, we have:
- 25 client PCs
- Most servers already migrated to Azure VMs
- Office365 with existing AD sync
- Single Sign-On via ADFS
- Only remaining on-premise components: 2 servers handling AD and ADFS
Azure Active Directory (Azure AD) can serve as a cloud directory service, but with some important considerations:
# PowerShell check for Azure AD Connect readiness Get-Module -Name AzureAD -ListAvailable | Select Version Get-Module -Name MSOnline -ListAvailable | Select Version
The key technical challenge lies in local machine authentication. Traditional domain-joined computers rely on:
- Kerberos/NTLM protocols
- Local DC availability
- Group Policy processing
Azure AD supports web-based authentication flows (OAuth, SAML) but has limitations for traditional domain join.
For complete on-premise DC replacement, consider these approaches:
Option 1: Azure AD Hybrid Join
# Register device with Azure AD dsregcmd /status dsregcmd /join /debug
Option 2: Azure AD Domain Services
This provides managed domain controllers in Azure:
# ARM template snippet for AADDS
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"aaddsName": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2017-06-01",
"type": "Microsoft.AAD/DomainServices",
"name": "[parameters('aaddsName')]",
"location": "[resourceGroup().location]"
}
]
}
A recommended migration path:
- Prepare Azure AD Connect with writeback enabled
- Implement Azure AD Device Registration
- Configure Conditional Access policies
- Test authentication flows
- Gradually decommission on-premise DCs
Before final migration, verify:
| Feature | On-Prem AD | Azure AD |
|---|---|---|
| LDAP | Full support | Limited |
| Group Policy | Full support | MDM only |
| NTLM | Supported | Not supported |
When migrating infrastructure to Azure, many organizations hit a critical architectural decision point: can Azure Active Directory (Azure AD) fully replace traditional on-premise Active Directory Domain Services (AD DS)? Based on multiple production deployments, here's what you need to know.
Azure AD isn't just "Active Directory in the cloud" - it's a fundamentally different service:
- Authentication Protocols: Azure AD uses modern protocols (OAuth 2.0, SAML) vs AD DS's Kerberos/NTLM
- Device Management: Traditional Group Policy Objects (GPOs) aren't natively supported
- Network Services: DNS, DHCP, and other network services typically handled by DCs aren't included
For most enterprises, we recommend a phased approach using Azure AD Connect sync:
# Sample Azure AD Connect configuration for staged migration
Set-ADSyncAADCompanyFeature -Force
-EnablePasswordHashSync $true
-EnableDeviceWriteback $true
-EnableGroupWriteback $true
Modern Windows devices can authenticate directly to Azure AD using Workplace Join:
- Device registers with Azure AD during OOBE or via Settings
- Authentication tokens are cached for offline access
- Conditional Access policies enforce security requirements
For apps requiring traditional AD authentication, consider these options:
// C# example for handling both Azure AD and AD FS tokens
var authContext = new AuthenticationContext(authority);
var result = await authContext.AcquireTokenAsync(resource, credential);
if (result.AccessTokenType == "urn:ietf:params:oauth:token-type:jwt") {
// Azure AD token
} else {
// Fallback to AD FS handling
}
- Audit all domain-joined devices and applications
- Implement Azure AD Premium P1/P2 for advanced features
- Configure Azure AD Connect with password writeback
- Test conditional access policies before cutover