Retain an on-premises domain controller?

We have nearly finished our migration to Azure, and have moved 130+ servers from a co-lo datacentre to Azure.

Concerns have been raised that if we should choose to keep a single physical domain controller in our head office site, to provide local authentication and basic services for the 500+ person site. The idea is to have a microserver (a server grade machine designed for small business) that is a backup / local authentication source so that if there are problems with Azure, that users would at least be able to log in to their machines and perform basic tasks, including using other cloud services and the Internet.

Are there problems with this approach? Most existing documentation is about how to remove all local domain controllers, and not how to add one on-site.

Any advice? (please provide advice that is directly related to the question, not alternative advice)