Re: But does it work?
It was "miserable as bleep" and "reliable unless you changes something."
Azure AD is one of those things that introduces a strict change management requirement into your environment. Breathe on it, and it will do something bizarre. But if you're one of those shops that sets up things and then basically doesn't touch them for 5 years, you're good.
Of course, bear in mind that Azure AD can be configured in a few different ways, depending on the wodge of cash you pay, the apps you're using, the level of integration you're seeking, etc. TBH, from a technical level, it's why I walked away from Azure. I just couldn't stand bleeping with it to keep it working.
Now, if they're correct, and it's push-button easy (with presumably similar "oh shit" buttons for when something changes) then It's worth a really good long look. That said, almost every company I deal with is moving away from Active Directory as their authentication system. It's used mostly to lash together legacy Windows boxes, but almost always with a cloud connector to a less frustrating and more widely supported service.
Identity management is a hotly contested battleground right now with dozens of new entrants every year. It is going to be a while before it all shakes out and there is absolutely zero guarantee that Microsoft will emerge the winner. (My money is on a much expanded OpenID.)
The big problem with Azure AD is that Azure AD isn't exactly like adding a domain controller. You don't just have a copy of your whole AD in the cloud.
The benefit of Azure AD is that you don't just have a copy of your whole AD in the cloud.
Active Directory - like the registry before it - has become a dumping ground for information that by all rights should be in easily editable flat text files. (And bleep you too, systemd, with a bronzed goat!) So there's layers upon layers of cruft in the average Active Directory. Some of this cruft you need to make programs run. Some of it is just "junk DNA" waiting to cause a cancerous mutation.
So the bad stuff doesn't go into the cloud...but much of the good stuff doesn't either. So it takes a lot of whitepapers to find out what's where, when and why. Frankly, I gave up. I started moving away to stuff that doesn't need the Active Directory - or the bleeping registry - to get the job done. I like that "keep it simple" mantra.
But there are a lot of folks who aren't in that situation. And so this might well be an important tool for them, especially if they are to remain wedded to Microsoft in the long term. Microsoft is certainly making it a huge part of their plans, as it is an important weapon in the Identity Wars...and that's a set of battles Microsoft's "cloud first, mobile first" future can't afford to lose.
If you could just get your identity from anywhere, why...what could be next?