Many organizations have recently transitioned to cloud-based identity platforms such as Azure Active Directory (AAD) to leverage the latest authentication mechanisms such as passwordless sign-in and conditional access, and to phase out Active Directory (AD) infrastructure. However, other organizations still use Domain Controllers (DCs) in hybrid or on-premises environments.
For those unaware, DCs have the ability to read and write to Active Directory Domain Services (AD DS), which means that if a DC is infected by a malicious actor, essentially all your accounts and systems are compromised. Microsoft issued an advisory about an AD privilege escalation attack just a few months ago.
Previously, the Redmond tech firm had emphasized that DCs should not be connected to the internet in any case. Given the evolving cybersecurity landscape, Microsoft has modified this guidance to say that DCs should not have unmonitored internet access or the ability to launch a web browser. Basically, it is OK to have a DC connected to the internet as long as that access is strictly controlled with proper defense mechanisms in place.
For organizations currently operating in a hybrid landscape, Microsoft recommends that you at least secure on-premises AD through Defender for Identity. Its guidance notes that:
Microsoft recommends cloud powered protection of those on-premises identities using Microsoft Defender for Identity. The configuration of the Defender for Identity sensor on domain controllers and AD FS servers allows for a highly secured, one-way connection to the cloud service through a proxy and to specific endpoints. A complete explanation on how to configure this proxy connection can be found in the technical documentation for Defender for Identity. This tightly controlled configuration ensures that the risk of connecting these servers to the cloud service is mitigated, and organizations benefit from the increase in protection capabilities Defender for Identity offers. Microsoft also recommends that these servers are protected with cloud powered endpoint detection like Azure Defender for Servers.
That said, Microsoft still recommends no internet access at all for organizations that are operating in air-gapped environments due to legal and regulatory reasons. You can check out the firm's guidance for DCs here.