Azure AD or Azure ADDS to replace on premise DC

Ours 1 Reputation point

in order to remove the domain controller on different sites, (authentication on computer, gpo, sharing on file servers). I need answers to my different questions, but also "testimonials" from people who have implemented these technologies in their company.

If I understood correctly, Azure AD is only ported to Microsoft accounts. So what about computers? They are visible on Azure AD but can we apply gpo on them?

Other questions: How will a user log in on his computer? with a local session?
Using an all Azure AD you need to :

  • replace a file server by sharpoint?
  • use Outlook?
  • in fact it's using a full cloud environment?
  • no need for VPN

But using Azure ADDS :
You can keep your on premise environment (file server, TSE, LDAP authentication..) while removing the on premise domain controller. Nevertheless, do you need a constant VPN between the local network and Azure?

Here is the goal is that you correct me if I said mistakes, and also to complete my words.

Thanks in advance


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,082 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,159 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sam Cogan 10,332 Reputation points MVP

    Azure AD is not a like for like replacement for On-Premises AD. Azure AD is a modern authentication provider that is focused on user and application authentication using modern protocols such as OAuth, OIDC and SAML rather than LDAP. It does not have a concept of a computer object, group policies for similar. The naming of Azure AD is unfortunate as it can be confusing. You can read more about this here.

    So, in terms of replacing your on-premises AD you really have three options.

    1. Us a combination of Azure AD and other services to replicate what you can currently do. AAD can do user authentication and machine logon. You can look at using InTune for GPO like policies, Azure DNS for DNS, Azure Files for file shares, Exchange Online for email and so on
    2. Look at using Azure AD Domain Services to create domain controllers as a service, which do support legacy AD functionality, but be aware that this has quite a few limitations.. You will also need to constant private connectivity to Azure for this, such as VPN or ExpressRoute
    3. Deploy domain controllers in Azure using virtual machines. You then need to manage these VM's
    2 people found this answer helpful.

  2. Ours 1 Reputation point

    I have already read this article but I must admit that it confuses me. I would have liked more "personal" answers because I've been reading articles for a while.
    And as we can't try the techno to realize in practice it's even more complicated.

    0 comments No comments