To eliminate network failures between sites and increase logon performance, every site should have a DC.
This is especially true if you intend to keep your on-premise domain controllers.
Since you said that your "objective is to shift our production workload to Azure," you can proceed with joining/registering the machines to the Azure domain and managing your machines using Azure Active Directory services.
Once enabled, you can plan a site-by-site project and decommission domain controllers as needed to cover a site; users will no longer require the local DC for logons from any app or machine to the locally hosted DC.
Note : Make sure you apply all security settings using Azure AD or have a hub based domain controller to apply GPOs. This way the systems will be compliant once they have updated set of policies.