How to Provide Access to Azure Resources with Azure AD

Once the inbound rule for RDP is in place, assign the Network Security group to the default subnet on your Server network in the Resource Manager portal.  What this will do is ensure that only YOUR workstation (and anything on your virtual network) can access your VM once it is deployed to the network.

Deploy Virtual Machine

With the underlying infrastructure in place, a virtual machine can be deployed.  Deploy a single virtual machine to the server network and set its IP addresses to “static”.  To simplify things, use managed disks”.  Call the virtual machine Server01 and set the network security group to NONE.

Join Virtual Machine to Azure AD Domain

Since Domain Services were activated earlier, the virtual machine can be joined to the Azure Active Directory domain once it has been deployed.  Joining the Azure Active Directory domain is no different from joining a machine to an on-prem AD domain.  Login to SERVER01 and join the BlueWidgetCoXXXX.com domain.  When prompted for credentials, provide the BWCAdmin@BlueWidgetCoXXXX.com login info.

When you login to SERVER01, make sure it is pointed at the domain services DC IP address by performing an ipconfig /all.  If it is not pointed at the domain services DC IP address, you made a mistake somewhere.

NOTES: 

If the virtual machine cannot see the Azure Active Directory domain, make sure the custom DNS servers (DCs of the Azure AD domain) were assigned to the server network BEFORE deploying the virtual machine.  If the virtual machine was deployed BEFORE configuring the DNS servers for the server network, reboot the virtual machine so it picks up the new DNS servers.