The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

Azure Setup and user Login RRS feed

  • Question

  • Hi Everyone,

    I'm new in setting up AD in cloud environment.

    So I'm thinking to setup AD in azure, for user authentication along with Group policy and Fileservers.

    My question is, is it do able?

    What I'm thinking is, since our AD will be located in the cloud it means as long as user connected to the internet, they can always sign in. how a bout the security for it? 

    Since my concern is, if I create on prem AD and i want user to be able to login to the AD it means I have to add VPN connection on my site.

    Please advise. I'm totally blank in this water.

    Wednesday, October 16, 2019 3:13 PM

All replies

  • Eka P. Widjaya, Thank you for sharing the query. To start with I am assuming you do not have any On-Prem AD environment available or any Azure AD tenant available at this time. Now, to start from scratch, lets assume the following terms and cases:


    On-Prem AD: This is an implementation of Active Directory installed on a VM/Physical server and sitting in a datacenter. All users will be authenticating to the On-Prem AD Domain Controllers using the auth methods like Kerberos or NTLM

    Azure AD: This is a directory that gets created on Cloud, as soon as you buy a subscription for Azure. Having said that, this directory is not as same as the On-Prem AD Directory. For users to get authenticated to this directory, they have to go through web-auth protocols like OAuth 2.0 or Open ID Connect etc.

    Now lets discuss the cases.

    Case 1: You have an On-Prem AD already setup in your datacenter and its working fine and now you want to utilize the power and benefits of Azure. In this case the users are already present in the On-Prem AD. To get the user to Azure AD, you would need to set up a Sync Server called AD Connect  and that would help you to Sync users to the Azure. SO that the same users are present both in cloud as well as On-Prem. This type of setup is called Hybrid-Setup. So the user can continue to access the applications that are hosted on the On-Prem AD environment as well as the new Applications that would be hosted on Azure. 

    Case 2: You create a tenant on Azure AD and then start creating users directly on the cloud. So the users' identity only rests in the Cloud and the users need to reach out to the cloud directly for authentication.

    So these should provide a very basic understanding about how the cloud and the on-prem world can co-exists.

    Coming to the next part of the query for the need of a VPN setup. So take the scenario, that you have two domain controllers running in your On-Prem Environment Datacenter, and you would like to increase the count of the Domain Controllers (VMs) and you plan to deploy them on Azure as Azure VMs. In this case you setup the VMs on Azure and configure them as Domain Controllers. Now to the DCs on cloud to replicated with DCs sitting on Prem, you need to create a VPN connection between the on-prem Datacenter and Azure. Here you can setup an Express Route to create that dedicated connection between your on-prem datacenter and Azure. 

    Note: This setup is similar to the on-prem setup and has got no connection with AAD.

    You can read more on this here:

    Hope this would help answer your queries. Also, I am sharing the following URL, which you can refer to for getting an in-depth understanding about Azure Active Directory and its various setup types:

    Do let me know if there are any more queries around this so that we can help you with those too.



    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, October 17, 2019 5:18 AM
  • Hi Sourav

    Thank you for your reply.

    So what I'm thinking is. 

    Create my AD on Azure VM and connected it to the AzureAD. 

    Since there will be several people who works not in-house, we want them to always authenticate. While dealing with VPN will be next plan, but will not immediately enforce.

    We're also thinking to save all profiles on the cloud, so what ever company owned device they use to connect with to the AD, they will always have the user expedience from their last used account along with their Documents .

    Can you pin point me to the right direction.

    Monday, October 21, 2019 3:04 PM
  • Hi Eka P. Widjaya,

    This plan sounds good. Just that a client machine in this case has to be in a Hybrid AAD joined state (meaning joined to both your own AD and to then to AAD again). With this the benefit that you get is all your Group policies of the AD domain will also be available to the client machine as well as the benefits of cloud i.e AAD will also be available like one of them being SSO experience.

    You can also check Enterprise State Roaming feature as this feature allows the user to sync the user-settings and app-settings data to the cloud.

    Enterprise State Roaming :

    What all does get synced:

    How to check that setting:

    How to enable Enterprise State Roaming:

    Hope this helps.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Sunday, October 27, 2019 6:33 AM