I work with Azure Active Directory (AAD) and enabled the Domain Services (AAD DS) feature to manage all my virtual machines and user-accounts. Domain Services is basically a Windows Domain Controller (in fact there are two of them), which provides Domain Join, LDAP and Authentication for your cloud hosted network and machines.
As a result, all users in the AAD can login to the Windows machines by using their AAD-Account.
From the documentation (https://azure.microsoft.com/en-us/services/active-directory-ds/)
Your domain controller as a service
- “Lift-and-shift” apps to Azure more easily than ever
- Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
- Rely on a managed, highly-available service
- Get started in minutes, pay as you go
- Develop and test with no identity worries
- Manage Azure virtual machines effectively using Group Policy
I use the following setup, often referred as "cloud-only organizations"
While still in the preview phase, I would like to point out some specific issues that I think should be known before using Azure Active Directory Domain Services. Some of them are by design, others are hopefully subject to change.
Mixed Up Accounts
Missing Mapping Information
Deleted Accounts Issue
As long as there is a account with the same UserPrincipalName in the Tenant, the newer accounts doesn't get synced correctly. The deleted accounts needs to be deleted completely from the AAD. --> WIKI LINK
User Name Length