So I have a client who honestly has way too much hardware (7 servers for an organization with fewer than 50 users) and most of it is EOL pushing 7 years old. I suggested to consolidate down to a 2 servers so that they would still have a backup DC and that they would save a ton of money in operating expenses compared to what they are running now and that they would easily save money.

Management decided that they wanted to move everything to the "cloud" because that is the new buzzword everybody is talking about, but I've never seen anyone in actual production had client machine authenticate to remote DCs. I've seen more than a few that had satellite offices, but they always had local domain controllers even if most of the other servers were centralized back at corporate. I often have heard of or seen other types of servers (web servers, mail servers, etc.) seem to be often centralized or outsourced to AWS or Azure, but I haven't seen it done with domain controllers. From what I have read Windows Azure Active Directory can't authenticate client computers it can only replicate data from your existing on prem DC through ADFS. There have been articles for a while now suggesting that Azure may eventually have full Active Directory, but I can't find any evidence that is more than a rumor or internal Microsoft dev project at this point.

My thoughts were to probably moving them to Office365 for mail as it would eliminate the need for an offsite backup solution and the storage for mail, but keep two fairly low end servers on site to act as domain controllers, WSUS, endpoint management server, etc.

Has anybody actually shifted their DCs entirely offsite and if so did it work? Am I old school in thinking moving the domain controller off site would be a mistake?