Azure Active Directory Domain Services Limitations

I work with Azure Active Directory (AAD) and enabled the Domain Services (AAD DS) feature to manage all my virtual machines and user-accounts. Domain Services is basically a Windows Domain Controller (in fact there are two of them), which provides Domain Join, LDAP and Authentication for your cloud hosted network and machines.

As a result, all users in the AAD can login to the Windows machines by using their AAD-Account.

From the documentation (https://azure.microsoft.com/en-us/services/active-directory-ds/)

Your domain controller as a service

  • “Lift-and-shift” apps to Azure more easily than ever
  • Use LDAP, Active Directory domain join, NTLM, and Kerberos authentication
  • Rely on a managed, highly-available service
  • Get started in minutes, pay as you go
  • Develop and test with no identity worries
  • Manage Azure virtual machines effectively using Group Policy

I use the following setup, often referred as "cloud-only organizations"
Cloud Only Setup

Known Limitations

While still in the preview phase, I would like to point out some specific issues that I think should be known before using Azure Active Directory Domain Services. Some of them are by design, others are hopefully subject to change.

Mixed Up Accounts

https://social.msdn.microsoft.com/Forums/azure/en-US/fc2ef4b7-3c7a-4b18-ad6d-109567a00e02/selfsourced-and-microsoftsourced-accounts-are-mixed-up-domain-services?forum=WindowsAzureAD#fc2ef4b7-3c7a-4b18-ad6d-109567a00e02

Missing Mapping Information

https://social.msdn.microsoft.com/Forums/azure/en-US/c5f1d5ab-7b8a-478c-8524-6504c058edb1/azure-active-directory-domain-services-portal-created-accounts-sync-different-than-graphapi-created?forum=WindowsAzureAD#3f819ea0-5425-47f1-ab54-1518b58076f5

Deleted Accounts Issue

As long as there is a account with the same UserPrincipalName in the Tenant, the newer accounts doesn't get synced correctly. The deleted accounts needs to be deleted completely from the AAD. --> WIKI LINK

User Name Length

https://social.msdn.microsoft.com/Forums/azure/en-US/f69e8452-d635-4f29-a62a-4b8184c35256/azure-active-directory-domain-services-username-limitations?forum=WindowsAzureAD#f69e8452-d635-4f29-a62a-4b8184c35256

Account Expiration

https://social.msdn.microsoft.com/Forums/azure/en-US/d4a0bc7d-f450-4a0c-8c62-c3ec9715733d/accounts-are-expired-in-azure-active-directory-domain-services-aad-ds-even-if-the?forum=WindowsAzureAD