Simple AD architecture with Azure AD DS, without on-premise AD?

Shuji Kinoshita 31 Reputation points
2020-03-09T05:41:54.233+00:00

Our organization is planning to establish a new AD server on cloud to manage our local machines' sign-in/out and policy settings. We do not have any existing on-premise AD server. As far as I understand, we have 2 plans.

  1. create new Azure AD DS server only.
  2. create new Azure AD DS server and on-premise AD server and establish syncing system with 2 servers.

I think (1) is suitable to mitigate our maintenance cost, but there is any problem on (1),
We think about plan (2).
This example shows 2 design-patterns, but both of them are not suitable for our company since we currently do not have any virtual machines on Azure. We just like to establish Active Directory server on Cloud to manage our local machines.
Are there any best practices?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,190 questions
0 comments No comments
{count} votes

Accepted answer
  1. soumi-MSFT 11,756 Reputation points Microsoft Employee
    2020-03-09T08:41:40.02+00:00

    @Shuji Kinoshita , Unfortunately it is not recommended to use Azure AD DS service for any on-prem Windows Machine. We always recommend to deploy Azure VMs and then manage it using the Azure AD Domain services. Even in case of Azure AD Domain Services, you would have to deploy an Azure VM and connect it to the same vnet as that of the Azure AD Domain Service. Since the Domain Controllers running behind the scenes of Azure AD DS service are not accessible hence this Azure VM deployed in the same vnet can be used to access the services like managing the users, computers, creating group policies etc using the RSAT tools on that VM.

    The only option available to manage a Windows Machine (on-prem machine) using AAD is by Azure AD Join or Hybrid Azure AD Join, but again using this feature you wont be able to control the Login/Logout. So the best option in hand is to deploy a Domain Controller on Prem and then manage you local policies for the local machines.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.


5 additional answers

Sort by: Most helpful
  1. JimmySalian-2011 42,046 Reputation points
    2020-03-09T19:25:01.95+00:00

    Hi,

    Basically you are looking for a Full Azure based solution or a mix of hybrid solution for your requirements.

    Without having complete information on the solution it will be difficult to suggest via this forum, however I would suggest if you combine above post reply and my recommendation to start with.

    Start with reading this article and solution provided for this type of scenario:

    https://learn.microsoft.com/en-us/azure/active-directory/devices/overview

    If you are looking for using personal devices you can look for Azure AD registered device option 1.
    If you are looking for using company branded devices you are looking for option 2
    Third option is complex and requires on-prem devices such as AAD connect or ADFS for SSO capability.

    Hope this helps and if you have any queries or questions, please ask.

    If this answer is helpful please mark your response.Thanks.

    0 comments No comments

  2. Kev100 1 Reputation point
    2020-06-24T16:11:52.61+00:00

    I have almost the identical situation as GregDowney above.

    We have a main office (with a few users) but many small remote locations as well as several staff who work from home.

    We do not have very sophisticated needs, even at what is considered the "main office". We have no legacy programs and no proprietary locally installed programs of any kind. All daily use involves simply web-based services.

    Our local network at this main office is used for internet access, printing, and we have 1 NAS for simple file sharing.

    We do not use local AD at any of our locations. I'm 100% with Greg to the point that I can simply re-post his summary ......

    "am I forced to install a local DC running Azure AD Connect? My thinking is (I am old school here... LOL), if that is the case, what is the benefit of using Azure AD DS?"

    In other words, Azure AD DS would be ideal for this organization. It would allow a no-muss system to have a degree of control of the Windows desktops and laptops spread over a few hundred square miles. Since even our main-office computer use is relatively simple, wouldn't the users here appear to Azure AD DS exactly as those at the remote locations ?

    I hope this has been clear. Am I missing something obvious in thinking that our main office users are really no different (technically) than anyone else in the organization, as far as Azure AD DS would be concerned ?

    I

    0 comments No comments

  3. Marco 1 Reputation point
    2021-09-19T11:12:16.613+00:00

    It sounds Google Workspace with chromebooks are more cloud-ready and future-proof that Azure+Win10.
    I cannot belive there's no way to make a new infeastructure full cloud. People are smart working since almost 2 years and I need a VPN to enable them to change their laptop password or to apply a new policy?

    0 comments No comments

  4. Tim Anderson 0 Reputation points
    2023-02-27T18:10:45.9166667+00:00

    In the three years since this question was posted, is their any better answer than "Run an on-prem AD server?"

    I'm in exactly this situation. "The powers that be" will not put another server on our network yet wants to use AD on prem and remote. Most of our office is pure remote. Is there seriously no solution to this problem other than "Run on an-prem AD server?"

    0 comments No comments