Why Azure AD isn’t a cloud domain controller

There is some confusion as to what Azure AD can and cannot do and whether it could function as a cloud based domain controller.

At present the answer is no. While you can join computers running Windows 10 to Azure AD, that doesn’t make it a complete domain controller replacement. The most obvious difference is that Azure AD doesn’t support GPOs. An additional difference is that Azure AD only stores a subset of the attributes that are stored within an on-premises AD environment. When you connect on-premises AD with Azure AD, only a subset of attributes are replicated to the cloud. While it is fairly reasonable to assume that the number of attributes available with Azure AD will increase, it’s probably also reasonable to say that it unlikely that there will ever be parity between the attributes available in Azure AD and those available with on-premises AD.

Most organizations don’t spin up a separate instance of Azure AD for itself. While it is possible to do this, you’re more likely to use Azure AD as a back-end for an Office 365 and a Microsoft Intune deployment. It makes sense for organizations that have adopted Office 365 to join computers to Azure AD to simplify the integration between Windows 10, Office 365 and possibly Microsoft Intune.

At this stage it seems unlikely that Azure AD will get GPO like functionality and that the sort of configuration management settings that can be deployed through on-premises group policy are likely instead to be replicated through services such as Intune.