2,340 questions
The first thing you need to do is understand what capabilities of AD you actually need. If you just need domain join, then you can use AAD Domain Join for Win 10 machines. If you need device management, like GPO, then you can look at adding InTune to that, and so on. It may be that you don't need full AD at all.
If you decide you do need full AD then think carefully about AAD DS. Whilst this can provide domain controllers as a PaaS service, it wasn't designed to replace your on-prem domain controllers. It has a number of limitations, some of which I talk about here, so you need to make sure you are OK with those. You will also need a persistent, VPN or Express Route connection to the Azure vNet that hosts AAD DS to be able to service you machines.
To answer your specific questions, yes you can authenticate your machines against AAD DS and use group policy.
You could also consider running IaaS VMs as domain controllers.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 10%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)