I would recommend not to deploy on-premises Active Directory Domain Controller (AD DS) in the Cloud. Of course, there are cases where an organization has requirements to fulfil for supporting some legacy applications requiring legacy authentication that are not able to use modern authentication.
If you are in that situation and deploying Domain Controller in the Cloud is a must then do it securely. Use a hardened device such as Privileged Access Workstation (PAW). The PAW configuration includes security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks.
Using the PAW to access Azure Portal or Infrastructure as Code (IaC) to deploy the Virtual Machine (Windows Server) for configuring it as Domain Controller. Assuming you have VPN, Express Route or other mechanism to your on-premises network that you can resolve your Domain Controller.
Assumptions you have deployed PAW-CSM, Azure Bastion, configured VNets and NSGs to restrict access to the VM only from Azure Bastion subnet.
Leave a Reply