Upgrade the Azure AD Domain Services Domain Controllers to be Windows Server 2016 instead of Windows Server 2012 R2.
We've switched to having our domain be AAD Domain Services and connected to our Office 365 domain and we'd like to enable Windows Hello for Business, but until those domain controllers are upgraded we can't utilize it. This makes the nice fingerprint scanners on our new machines useless.
Mike Stephens commented
We are considering 2016 DCs, but not for the use case you describe. Azure AD DS was not desinged to be federated with Azure Active Directory. You have Azure Active Directory (with your Office 365 subscription) so you can already do Windows Hello For Business direcly with Azure. AAD DS is an extension AAD that provides support for legacy applications that use Kerberos, NTLM, LDAP, and other legacy protocols. Azure AD DS cannot be used as a hybrid AD DS deployment with Azure. Also, Azure AD DS will not work (even with 2016) with WHFB's current design. That said, we are also investiging how we can bring passwordles to Azure AD Domain Services.
Senior Program Manager
Azure Fabric | Domain Services
It is silly that the cutting edge cloud platform is using 2012 for compatibility, there should be the latest windows (even beta) options available for features. There is no reason Microsoft's own platform should be lagging behind so much.
Ability to use the latest security features should be something always supported by azure products.