19

I currently have a small network with a few servers and about 25 client PCs. We are using Office365 and have AD synchronisation setup from our on-premise server. We also have single-sign-on setup using ADFS.

We have recently replaced all but 2 of our servers with Azure virtual machines.

The only thing we now use our internal servers for is the Active Directory and ADFS.

So - my question is this... Can I setup an Azure Active Directory, sync my on-premise directory to it, get Office365 to talk to the Azure Active Directory and then decommission my on-premise servers?

Will my local client PCs authenticate against the Azure Active Directory?

If the answer is, "Yes" - any suggestions for how to achieve this would be great. If the answer is, "No" - some information on why not would be great!

Thanks!

Chris Roberts
  • 463
  • 2
  • 6
  • 12
  • Can't Azure AD connect do this? I thought it was supposed to be able to sync your on-prem AD to the Azure AD? – user228546 Dec 15 '17 at 20:08

2 Answers2

9

Short Answer: No

Longer Answer: Local clients cannot communicate with an Azure AD instance directly. Your client PCs will not be able to use it for logon authentication. Azure Active Directory is not meant to be a replacement for on-prem Active Directory, it's simply a way to provide directory services to other services in your Azure tenant, such as O365 or Intune.

Edit: This answer is no longer 100% accurate. With Azure AD Join for Windows 10, you can use Azure AD for logon authentication and conditional access as well as automatic enrollment into Intune for policy management. So while Azure AD Join isn't appropriate for most organizations, it's great for highly-mobile companies or companies that may want some enhanced management for BYOD devices.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Ahh. I see. Thanks! Could I at least sync my on-premise AD to Azure and configure Office365 to authenticate with Azure? That way I could do away with my on-premise ADFS? Thanks again! – Chris Roberts Jan 27 '14 at 22:21
  • You can do away with on-premise AD if you want to use Azure ADFS instead of on-premise, but I don't think such solutions were meant to sync with an on-prem AD as well. See here: http://www.microsoft.com/en-us/download/details.aspx?id=38845 and here: http://blogs.technet.com/b/kevinremde/archive/2013/05/16/put-your-adfs-in-the-cloud-20-key-scenarios-with-windows-azure-infrastructure-services.aspx and here: http://technet.microsoft.com/en-US/library/dn509538.aspx – TheCleaner Jan 27 '14 at 22:28
  • 1
    @ChrisRoberts AD FS is not a requirement for O365 - it's only a requirement for single-sign on. You can do **same**-sign on with just dirsync. If you do away with AD FS, your users will be prompted to log in, but it will be with the same credentials that they use on-prem. ADFS simply facilitates the transparent sign-on between the two environments. – MDMarra Jan 27 '14 at 22:41
  • @MDMarra does that mean if i were to use AD/DC on Azure, users will not be able to logon to windows as well? – Jeremy Oct 17 '14 at 05:19
  • @username55 there is a difference between Azure Active Directory and installing AD on an Azure VM. This question is about the former. – MDMarra Oct 17 '14 at 10:31
  • Is this different with the newly-released Azure Active Directory Domain Services? – Rory Oct 16 '15 at 13:41
  • 1
    @rory maybe. It's unclear if this new service (which is still just released as a preview) will support on-prem devices to the cloud AD. The two scenarios outlined in the announcement are a pure cloud company with no on-prem infra with Azure AD DS supporting only Azure IaaS servers and a hybrid company still maintaining on-prem DCs. It's definitely an exciting time for Azure AD but it's way too new to see exactly what is and is not recommended. Certainly has the potential to enable new solutions though! – MDMarra Oct 16 '15 at 13:55
  • Is this still the case with the release of Windows 10? As windows 10 can communicate / authenticate directly with an Azure AD, can you now have no need of an on-premises AD controller? – RemarkLima Nov 14 '15 at 14:00
  • @RemarkLima This is true for authentication, but you don't get Kerberos, GPO, etc. It may be good for a SOHO or branch office setup, but it's still not going to replace AD a for commercial or enterprise customers. At least not yet :) – MDMarra Nov 14 '15 at 19:56
3

Even Longer Answer: Like MDMArra says in his answer, local clients can't currently authenticate with Azure Active Directory (e.g. they can't domain-join). Based on your questions/comments, I believe you might be interested in a couple possibilities:

Run Directory Sync with Password Sync (you might already be doing this). This way, Office 365 (and other online services) will authenticate against AAD, while your on-premises apps and clients can continue to authenticate against the on-premises AD.

If you really trust your network connection, you can also set up a site-to-site Azure Virtual Network from your premises to Azure, and move AD and ADFS to virtual machines in Azure. If you choose to go down this path, I strongly recommend you read up on Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines. (Note: in this case you can continue to use Directory Sync with AD on an Azure VM just like you do now.)

Philippe Signoret
  • 191
  • 6
  • So, if I want to logon, say, to my workstation using a VMed AD I'll need a site-to-site connection? What if I had a on-premise AD which is a replica of the VM and they are connected through point-to-site? – Igor Gatis Jun 16 '15 at 00:22