I tried this - setup a S2S vpn from Azure to our data center and joined a workstation at one of our branches to the Azure AD DS domain.
There were a few issues:
- Only GPO computer policy was applied - both on the workstation and the Management VM for AAD DS set up in Azure. I couldn't get user GPO policy applied by default - I had to setup loopback for that to work.
- I found no option to hybrid join to Azure AD - from what I understand, this only works with AAD Connect , which you can't use within the AAD DS domain. So no way I can see to get Intune working with this setup. This is what Microsoft says :
Important
Azure AD Connect should only be installed and configured for synchronization with on-premises AD DS environments. It's not supported to install Azure AD Connect in a managed domain to synchronize objects back to Azure AD.
So it seems that this is not as great a solution as I thought it could be. Best to set up a VM as a regular DC with AAD connect installed and have users join there through the VPN if you don't want an on-premises AD.