We have a bunch of bare-metal servers managed by a hosting company (UKFast).
On one of these we have a Domain Controller set up and the other servers are part of this domain (Windows 2012 R1 server).
At the moment we have set up users on this domain and can connect and authenticate (e.g. via RDP) with these users.
We would like to link our AzureAD logins, which are used to log into stand-alone Windows Desktops/Outlook 365 etc., into this configuration so that we can authenticate onto the servers using our AzureAD users/passwords.
Is this possible? Can it be done without upgrading the DC from 2012?
I did briefly look at Azure Active Directory Connect, but it seems to be more about getting AD users onto AzureAD than the other way around and I couldn't get it work work on Windows 2012 anyhow.
Thanks.
You can use Azure AD Connect to synchronize your Active Directory users with Azure AD, but not the other way around.
What the tool does is create an AAD user for each AD users, and keep them in sync; but if a user is created in AAD, there is no way to sync it back to the local AD, which will know nothing about it. Synchronization is strictly unidirectional (*), from AD to AAD.
(*) There are some exceptions, like password writeback; but there is no way to create AD users based on AAD ones.
That said, something can probably be hacked by exporting users from AAD and importing them into AD, and then modifying the appropriate attributes so that ADConnect can correctly map and synchronize them; but this would require extensive knowledge and development work.
I think this is probably what I need:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-forest-trust