This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 49%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
We have a scenario where there's a computer that has been joined to our on-premise domain, but has then been placed in a location where it lacks direct connectivity to our internal network. Normally, we use a VPN to connect this machine to our network and perform tasks, but we're encountering an issue because we've enabled Azure MFA for the VPN connections. Because we're using Cisco AnyConnect, a user is unable to connect to the VPN prior to logging into Windows (Cisco's client will not authenticate with Azure MFA with their pre-login client for security reasons).
As a result, new users on this computer are unable to log in on this machine, as it lacks connectivity to our domain controllers to create their local profile during their first logon.
Is it possible to build a DC in Azure, link it to our internal AD, and allow these users to authenticate to that DC directly over the Internet, so they don't need to use a VPN for their first logon?
I don't see anything that indicates this is possible, or not, in the documentation from MS about integrating on-premise AD with Azure AD.
An important note: because of our internal AD structure, it's not feasible for us to move entirely to Azure AD DS. We are using a hybrid join setup, and while I'd love to move away from that, it would take us years of work to migrate the needed items into the cloud to just do Azure join only on our workstations.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Is it possible to build a DC in Azure, link it to our internal AD, and allow these users to authenticate to that DC directly over the Internet, so they don't need to use a VPN for their first logon?
You'll still need a VPN connection to this azure network. Routing windows active directory via public DNS is not possible to do.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
