![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 28.999999999999996%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
1,991 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
As far as I understand your query , I think your company wants to de-commission the physical servers and domain controllers in the on-premise and completely move the cloud . In this process you would like to understand the functionalities and feature parity between on-premise active directory and azure active directory with emphasis on what's possible and what's not .
To answer you query "Can you have the same functionalities of a physical AD in the cloud and have nothing on-premise?" No we cannot have same functionalities as they both are not designed with same goals. Even though they both provide inbuilt functionalities of basic object store(device & users) and authentication services yet they differ in many way and are not similar. If the goal is to just migrate on-premise domain controllers to the Azure cloud and run the domain controllers in azure virtual machines then yes its doable. I will explain more as go forward .
In your case I understand that the primary goal is to get rid of the physical servers and move all the active directory environment to cloud. Since you have mentioned about O365 so I am assuming you already have Office 365 tenant and you have azure AD connect setup by which you are syncing the users to Office 365 / Azure AD tenant . Office 365 tenant and Azure AD tenant refer to same Azure AD instance accessed through their respective portals (admin.microsoft.com/portal.azure.com ) . So both Office 365 tenant or Azure AD tenant mean the same thing .
Talking about functionalities between Azure AD and on-premise AD , they are not same. You would not get the group policy and many other capabilities of on-premise AD in the Azure AD . Azure AD was designed with Modern authentication in mind . which is mostly authentication of application and user over the web. generally in on-premise environment you can see that we have Kerberos , NTLM etc. protocols which are also referred to as legacy auth protocols. Modern authentication means a service which supports web based federated authentication protocols like oAuth , OpenId , SAML etc.
In order to create a consolidated environment , unifying the domains is a great step which would simplify the management of domain for you. The first thing during this migration of domain controllers to azure , I would recommend you to create a connected network with Azure . Please check the article https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain for more details options. You can achieve this with site-to-site VPN from any of your central sites like HQ sites wherever you have highest number of domain controllers to Azure virtual networks where you will create domain controller virtual machines. Or you can create a expressroute link from your on-premise office to Azure . Your network architecture should look as follows.
Since you have multiple domains and a large network as per your details , I would recommend to go for expressroute connectivity but it will add some more cost as compared to site-to-site VPN solution however it will provide higher reliability for your users with a failover VPN setup . Please go through the article https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/ for more information around hybrid networking . To configure ExpressRoute connection to connect the virtual network to your on-premises network, you can refer the article: https://learn.microsoft.com/en-us/azure/expressroute/expressroute-workflows
Once you have the hybrid networking architecture figured out you can create new Azure Virtual machines and promote them as Domain controllers pointing the servers to your on-prem Domain controllers for DNS. Once this is achieved , you can keep adding virtual machines and promote them to domain controllers in the the Azure Virtual network . Thus you can maintain all the on-premise domain structure in azure and remove the on-premise physical servers one by one. You mentioned you have windows 2012 servers for on-premise and you would like to do away with physical servers but have the possibility of group policy etc. I would suggest you to use windows 2019 server Virtual machines when you create VMs in azure for additional domain controllers
I believe that you have multiple sites and all connected through some MPLS link or similar network connectivity . Mostly in these cases the users could be in a physical office or work from their own home. For anyone who is coming to physical office , you can setup site-to-site VPN connectivity to Azure where you will create the domain controllers for your active directory . For anyone who is working from home, we can use point-to-site VPN connection to your azure network because the user's machine will need a line of sight domain controller for refreshing changes in group policy .
Generally every company would have some line of business applications their users use daily which would depend upon Active directory for authentication. This would be Kerberos/NTLM based authentication or you may be running an on-premise federation service using web based protocols like SAML / oAuth/ WSfed in conjunction with active directory. When you move all the Active directory servers to the cloud then the application servers you have also would need to be moved to the cloud if they use older auth protocols (Kerb/NTLM) and depend upon active directory domain controllers . If the application rely on modern authentication protocols like oAuth , then you can register the application in Azure AD and federate it with Azure AD directly . If it is using legacy auth protocols then you can use Azure AD application proxy to make it available over the web. you may have to make some changes in your environment for the same . Please check the linked article . As you are using office 365 as well , you may create a new sync server and perform a swing migration for Azure AD connect server for syncing identities to Office 365 . Once this is done , you can do away with the on-premise AD connect server as well and run the new AD connect server in the cloud.
The one thing you would need to make sure is that after you do away with physical servers the site-to-site VPN or Expressroute connection must remain available as new authentication request to your domain controllers will rely on the network connection between your on-prem office to Azure cloud.
I hope the information provided is helpful. I have linked many articles and I would suggest you to go through them to understand the possibilities of how this could be done. In case you believe that I have misunderstood any of your queries , please do let me know and we will continue the conversation . If the information provided in this post is helpful , please do accept the post as answer which will help other community members searching for similar queries.
Thank you .
----------------------------------------------------------------------------------------------------------------------------------------------------------
- Please don't forget to click on
whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how - Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 36%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERW%3C/text%3E%3C/svg%3E)