Windows 10 – Azure AD Domain Joined & SMB Share

I have encountered this question before. Essentially you are expecting to be able to get rid of your on premise domain controller (DC) because you can join you laptops and workstations to Azure.

That is an incorrect understanding of Azure.

You still need a DC (a virtual machine (VM) in the cloud or a physical server).

That DC has Azure Active Directory (AAD) Connect installed and configured on it. That creates an account in AD that synchronizes accounts and passwords with AAD.

When a computer joined to AAD logs in it sends the login request to AAD. AAD then validates that authentication request against the information synchronized from AD.

So if you have workstations and laptops joined to AAD and they try to access a share on a server that is in a different domain than what AAD synchronizes with you are going to need to provide credentials that exist in the server which hosts the resources you are trying to access.

There are a few right ways to do this and I will give you two.

1. If the clients are in a single location and will always be in the same location as the DC then join them to the domain regularly. For clients that will be used in other locations join those computers to AAD and install AAD Connect in the DC.
2. If you want to move all of the servers out of your office spin up a VM for your DC in Azure and deploy a cloud firewall in front of your VM. Create a Site-to-Site Virtual Private Network (VPN) between the cloud firewall and your office firewall. Now join computers that will always be in the office to the domain like normal, join computers that are going to be used remotely to AAD, and install AAD Connect on the DC.