We want to abandon on-prem AD services.
The critical question is:
Can I switch from on-prem AD to Azure ADDS for the Azure File Services while retaining permissions?
Scenario:
On-prem Domain Name: company.com
Azure AD Tenant Name: company.onmicrosoft.com
VPN Connection from on-prem to Azure File
Azure Files are currentliy in the AD hybrid join mode.
(Azure Blob Storage wasn't a choice, including Azure Data Lake Storage Gen2)
All client devices are Azure AD jointen using Intune.
No servers/services On-prem that are AD-dependent, with the exception of Azure Files Services.
Plan:
The next step is to get rid of the on-prem AD.
The plan is to remove the last Exchange Management Server and terminate the AD-Connect service to get cloud-only users and groups.
To continue granting access to Azure File Services, the idea is to build an Azure ADDS in parallel and turn on full replication of NTLM and Kerberos tickets on the Azure Connect side.
After migrating the files from on-prem, the authentication is to be switched from Active Directory to Azure Active Directory Domain Services. The hope is that the permissions do not need to be changed since the sid history is in Azure AD.
Has anyone already done this?
It is clear that users of Azure AD devices will still need a password to access Azure File Share, as no Kerberos protocol is available and they will need a network connection to the Azure ADDS environment, too.
We think to avoid any DNS confusion the Azure ADDS should be given a subdomain name.
Azure ADDS Managed Domain: cloud.company.com
