What identity service should be recommended for legacy applications during a migration to a cloud-only infrastructure?

When migrating legacy applications to a cloud-only infrastructure, recommending Azure Active Directory Domain Services (Azure AD DS) is appropriate due to its capability to support applications that rely on traditional Active Directory features. Azure AD DS provides managed domain services such as domain join, group policy, LDAP, Kerberos, and NTLM authentication, which are essential for legacy applications designed to operate within on-premises Active Directory environments.

These applications often require specific directory services that Azure Active Directory alone does not directly satisfy, as Azure AD is designed primarily for cloud-based identity and access management without the traditional domain services features. Azure AD DS bridges this gap, ensuring that legacy applications can function seamlessly post-migration while taking advantage of a cloud infrastructure.

In contrast, other options like Azure Active Directory are primarily focused on modern cloud applications and do not provide the necessary legacy support. Microsoft Identity Manager serves a different purpose by focusing on identity synchronization and management, not directly providing domain services. Cosmos DB, being a database service, does not pertain to identity management and thus is not relevant in this context.