Our primary use case has definitely evolved since our very first use case, which was for delegation of rights within Active Directory without having to give folks native rights through Active Directory. That was our biggest driving factor into the use of Active Roles. All the other stuff that it does is a benefit, and we use it all heavily. However, we're very big into using the least privileged model and having the least amount of Active Directory native rights out there, as this cuts down on issues later. By having less people with native Active Directory rights, this cuts down on potential issues that we have to troubleshoot.
It is used in our on-prem Active Directory, but the servers themselves are hosted out of Azure. So, we use IaaS, which is just having VMs in the cloud versus having our VMs on-prem. The only cloud aspect is that VMs are hosted in the Azure IaaS instance. It's a normal VM, which is part of our on-prem Active Directory, but it just happens to be hosted in Azure.