Dear all
We took on a new client and they are using federated for Azure authentication for some of their domains. I know that this means authentication is done on-premises and is the key factor for companies to use this option compared to the likes of pass-thrue (which I guess is also on prem using agents right) and hash. They have a hybrid environment so they have a few domain controllers on-prem of course with the usual two in Azure and might even have some additional one's in Azure.
Our client is asking us to move all FSMO roles from on-prem to the domain controllers in Azure and thinking about this I cannot really find a good reason they would want to do this. Correct me if I am missing something but would there be any reason why anyone would want to move FSMO roles from on-prem to the cloud? Moreover if the PDC role remains on prem and authentication needs to be on-prem because it is federated would it not make more sense to leave the FSMO roles where they are as well to also factor in things like password changes where every DC needs to talk to the PDC?