Azure AD is a cloud-based mechanism that provides the tools to address our security needs. Backed by Microsoft AD, an industry-standard and, importantly, proven secure authentication andauthorization system, it gives both cloud-first (that is, stored and managed entirely in the cloud) and hybrid (a mix of cloud and on-premises) solutions.

Some of these tools are included by default when you create an Azure AD tenant. Others require a Premium add-on, which we will cover later.

These tools include the following:

  • Self-service password resets: Allowing your users to reset their passwords themselves (through the provision of additional security measures) without needing to call the helpdesk.
  • MFA: MFA enforces a second form of identification during the authentication process—a code is generated and sent to the user, and this is entered along with the password. The code is typically sent to a user’s device as either a text message or an MFA authentication app on their mobile device.
  • You can also use biometric devices such as fingerprint or face scanners.
  • Hybrid integration with password writebacks: When Azure AD is synchronized to an on-premises AD with AD Connect, changes to the user’s password in Azure AD is sent back to the on-premises AD to ensure the directories remain in sync.
  • Password protection policies: Policies in Azure can be set to enforce complex passwords or the period between password changes. These policies can be integrated with on-premises directories to ensure consistency.
  • Passwordless authentication: For many organizations, the desire to remove the need for passwords altogether in favor of alternative methods is seen as the ultimate solution to many authentication issues. Credentials are provided through the use of biometrics or a FIDO2 security key. These cannot be easily duplicated, and this removes the need for remembering complex passwords.
  • Single sign-on (SSO): With SSO, users only need to authenticate once to access all their applications—regardless of whether they sign on through their on-premises directory or Azure AD, the single authentication process should identify the user across different environments.
  • CA: To further tighten security, CA policies can provide further restrictions to user sign-in, or when different rules may apply. For example, MFA can be set not to be required when signing in from specific Internet Protocol (IP) ranges, such as a corporate network range.