Two women in conversation, one gesturing with both hands

Blog | 11-minute Read

The definitive guide to Azure AD: Everything you need to know

Marcus Idle profile headshot

Marcus Idle

Head of External Identity

Published: 06 May 2022

Azure Active Directory is Microsoft’s flagship cloud identity service. We cover its key features, explain how it works, and break down what it can provide for your organisation.

Cloud technology has significantly changed the way organisations operate. Offering new ways to conduct business, interact with customers, and manage your internal IT systems and employees.

Microsoft’s Azure platform is one of the heavy hitters operating in the Cloud arena. And it’s only getting bigger, hitting over 425 million daily users in 2021 (Microsoft FY21 Q2 Results).

This growth is largely powered by the Active Directory component at the heart of Azure. Azure Active Directory (Azure AD) provides an ever-expanding array of features and functionality for the management of identities and security.

But what exactly is Azure AD? What does it provide? How does it function? You’ll find these answers and much more below as we give you everything you need to know about Azure AD.

What is Azure AD?

Azure Active Directory is Microsoft’s multi-tenant, cloud-based identity and access management service. It’s the digital infrastructure that allows your employees to sign in and access external resources held in Office 365 and an ever-growing list of other SaaS applications, as well as those held on a corporate network or intranet.

Azure AD’s strength lies in the flexibility afforded to it by being entirely cloud-based. This means that it can either act as an organisation’s only directory, or it can sync with an on-premises directory via Azure AD Connect.

Either way, it enables both on-premises and cloud-based users to access the same apps and resources, simultaneously benefitting from features such as single sign-on (SSO), multi-factor authentication (MFA), conditional access, and more.

More importantly, it provides a single place from which to manage your identity, security, and compliance controls across your entire IT estate.

quote icon

Because of the amazing progress in open standards for identity over the past decade, we can easily hook all of these things together and give you one central control plane.

Alex Simons, Corporate VP for Identity, Microsoft

What does Azure AD do?

Azure AD provides different benefits depending on what you’re using it for.

For IT admins, it allows complete control over access to applications and resources utilising security controls like MFA and conditional access. They can also use Azure AD’s built-in governance controls to apply automated lifecycle management and privileged access limitations.

In addition to this, Azure AD also provides admins with the ability to automate provisioning between Windows Server Active Directory and cloud apps like Office 365.

For developers, Azure AD can be used as a standards-based approach to enabling features like SSO and for personalising the app experiences using existing organisation data through APIs.

If you’re a user or employee, Azure AD means quick and easy access to work resources, on a multitude of devices, from almost anywhere on the planet.

The complete guide to Microsoft Entra ID

Download your 34-page guide to Microsoft’s identity tools.

How does it work?

Azure AD, as the name suggests, is a directory – a container for your user names, credentials, and access rights (typically to information-based resources).

Cloud-only or hybrid

Azure AD can be operated in ‘cloud-only’ mode, allowing your users to sign in to their Windows PCs using the cloud directory service. Alternatively, if you, like many organisations, are still tied to on-premises legacy infrastructure, Azure AD can use your local Active Directory as a master for account data and operate in a variety of hybrid modes.

Threat detection

Whether in cloud-only or hybrid mode, Azure AD effectively acts as your ‘front door’ for sign-ins. A key benefit of doing so allows you to take advantage of state-of-the-art security measures, such as assessing the threat level of the user attempting access and being able to mitigate that threat – for example, requesting two-factor authentication.

Single sign-on compatibility

One of the most attractive advantages of using Azure AD is its ability to enable single sign-on (SSO) and it supports third-party application integration to help achieve this.

Applications can connect using standard ‘modern auth’ protocols – SAML or OpenID Connect. Application and group assignments (including dynamic groups) in Azure AD determine who has access to what.

Single sign-on means that users will be able to access all of the applications they need by signing in only once using a single user account hosted in Azure AD. Once signed in, they can access those applications without being required to authenticate a second time.

Azure AD has been designed to enable easy integration with many of today’s popular SaaS applications, enabling users to either single sign on to applications directly or discover and launch them from a portal, such as Office 365 or the Azure AD access panel.

What are the benefits of using Azure AD?

Azure AD offers a plethora of incentives for adoption, hence why it’s used by 95% of the Fortune500.

Again, this is driven by its incredible flexibility. Whilst Azure AD is optimised for Microsoft applications, it is also highly compatible with apps developed outside the house that Bill built.

This open standards approach has allowed Azure AD to become the core mechanism by which an organisation can manage all of its different apps, devices, and users across multiple tenants.

Azure AD’s key benefits largely fall into five categories:

1. One place for identity and access management

Azure AD is the heart of your organisation’s IT, giving you one place to go for managing user identities and permissions. You can assign users to groups individually or using rules driven by attributes, and you can use groups to assign licences and application access. You have all the control in one place.

2. One identity for all applications

Whilst your users’ Azure AD identities are perfect for signing into Microsoft applications, it is also highly compatible with apps developed elsewhere. Millions of users use Azure AD to regularly access third-party party applications on a daily basis, streamlining the process and increasing productivity.

3. Security

Organisations want to protect their resources from malicious or accidental harm – and to protect their users from identity theft. Azure AD achieves these aims with a range of measures, including threat detection, conditional access, multi-factor authentication, privileged identity management (PIM), and more.

4. Ease of use

Getting access to resources should be easy for end-users. Single sign-on, using the same sign in for Windows and all your applications, means less fuss with credentials, and fewer demands on the IT help desk.

5. Collaboration

Azure AD allows you to invite external (guest) users into your directory to assign access, while their credentials are managed by their organisation’s IT department.

This gives you immediate and easy collaboration options while not having to worry about user lifecycle.

Azure AD key features

Having all of your disparate environments united under Azure AD offers some significant functionality options and features:

Ebony and green monitor and settings icon on transparent background

Application Management

Manage both cloud and on-premises apps, single sign-on, the MyApps portal, and any SaaS apps.

Ebony and green tick person in brackets icon on transparent background


Whether this be providing self-service password reset, calibrating MFA requirements, or enabling smart lockout, you can get really granular with your authentication settings (especially when used in conjunction with conditional access) for increased security and control.

Ebony and green suitcase icon on transparent background

Business-to-business (B2B)

Manage guest users and partners, providing them with the access they need but no more than you’re willing to allow.

Ebony and green person plus icon on transparent background

Business-to-customer (B2C)

Offer custom sign in and sign up experiences, allowing customers to manage their profiles within your applications.

Ebony and green hand and mobile phone icon on transparent background

Device management

Control how your network is accessed by on-premises and external devices, utilising Intune for effective management.

Ebony and green cloud uploaded icon on transparent background

Hybrid identity

Most organisations aren’t ready to go cloud-only yet, but using Azure AD Connect allows you to take advantage of Azure AD’s features – even if you’re running some on-premises applications and some in the Cloud.

Ebony and green compliance and information protection icon on transparent background

Identity governance

To ensure that your identity ecosystem remains healthy, Azure AD has some built-in governance features that allow you to manage identity and access lifecycles and set privileged access conditions.

These controls are designed to enable organisations to ensure that the correct users have the corresponding levels of access and monitor what they’re doing with it. One of the key benefits of good governance is being able to audit and verify the effectiveness of the applied controls.

Ebony fingerprint icon on transparent background

Identity protection

Azure AD Identity Protection utilises security information drawn from across Microsoft’s digital empire to detect and remedy identity-based risks, automating a large part of the process of identifying and addressing security concerns.

These risks can then be further investigated through the Azure AD portal.

Ebony and green exploded pie chart icon on transparent background

Reports and monitoring

Azure AD also features monitoring and reporting capabilities to help you gain insights into your environment. You can run diagnostics and view logs which can then also be applied to third-party SIEM tools (or Microsoft Sentinel) to take a deeper dive into your data.

Azure AD vs Active Directory

You may be wondering what Azure AD means for your Windows Server Active Directory (or ‘local Active Directory’). As mentioned earlier, your on-premises directory can be synchronised to Azure AD via Azure AD Connect. Azure AD doesn’t necessarily need to replace it – it can work as the cloud-based counterpart to your local AD.

It’s a common misconception that ADFS has anything to do with syncing users, it doesn’t. ADFS can handle external single sign-on against your on-premises directory, while Azure AD Connect handles the synchronisation. They don’t talk to each other and they each have their own data source. ADFS has been largely superseded by Azure AD.

And Azure AD is not just ‘Active Directory in the Cloud’ either. Although it performs a lot of the same functions (authentication, user management, authorisation, directory query, etc.), it accomplishes these in a very different fashion.

Your local AD wasn’t designed to handle the thousands of web-based services that are now available and, in many cases, are crucial to an organisation’s day-to-day function. Azure AD uses an entirely different set of protocols to work with web apps such as Salesforce, Google, and Office 365.

B2B, B2C, and external users

As highlighted in the key features section, Azure AD has purpose-built functionality designed to support working with external users, but the specifics differ on whether those users are customers or partners.

Azure AD B2B allows businesses to securely share files and resources with partners and contractors for collaboration purposes. Azure AD handles the federation between the business and partner, so users can sign in to shared resources via an invite that can be sent to any email.

Azure AD’s B2C capabilities are first and foremost designed for use in customer-facing applications but can apply in a B2B scenario. Here, Azure AD acts as the identity system for the application whilst also allowing customers to sign in with a previously established identity, such as a Facebook or Gmail login.

You can find out more about the differences between Azure AD B2B and B2C in our comparison blog.

Azure AD licensing options

Thousands of organisations make use of the applications within Office 365, which means that they will automatically have access to Azure AD and all of its free features that come as standard.

There are four licensing options available to those interested in utilising Azure AD:

Azure Active Directory Free

The standard Azure AD package comes with user and group management, synchronisation with your on-premises directory, self-service password reset, basic reporting capabilities and single sign-on across Azure, Office 365, and other SaaS apps (with more added on a regular basis).

Azure Active Directory Premium P1

On top of the base features, the P1 package provides hybrid users with access to both cloud and on-premises resources. You’ll also get more advanced admin capabilities, with dynamic groups, self-service group management and access to Microsoft Identity Manager (MIM) for on-premises IAM features.

Azure Active Directory Premium P2

The P2 licence builds on its predecessors by adding Azure AD Identity Protection into the mix, which provides advanced conditional access features for a risk-based approach to application access.

You’ll also get privileged identity management tools to identify, restrict, and monitor admin access to ensure access privileges are applied accordingly and removed when redundant.

Pay as you go

If you find yourself needing to take advantage of additional features such as Azure AD’s B2C abilities, Microsoft can tailor your subscription with any others you may need on top of the P2 licence.

Alternative options

Azure AD is quite a broad offering and, as part of your research, you’ll likely come across various competitors that address different areas of its functionality.

Here are some of the most familiar faces and what they offer:


Okta sits on top of Azure AD and offers ‘simplified single sign-on’, user lifecycle management (synchronisation between various user information sources including on-premises), Office 365 license management, and adaptive MFA.

Ping Identity

Ping Identity offers a single sign-on solution and adds an identity governance layer in addition to the usual MFA and security features you would expect.


Auth0 is a competitor to Azure AD B2C, and offers customisable user journeys for single sign-on, with protection against malicious logins, and a broad range of integrations for different platforms.


iWelcome is another Azure AD B2C competitor, offering a wide range of out-of-the-box user journeys and easy management tools.

Although Azure AD has the advantage of being an all-encompassing solution built for compatibility and flexibility to your needs, it’s worth being aware of what else is on offer and how they either add to or replicate the functionality found within Azure AD.

Key takeaways

  • Azure AD is Microsoft’s market-leading cloud-based IAM service.

  • It provides a single place to manage access and apply cutting-edge security controls.

  • Azure AD can be deployed either cloud-only or adapted to a variety of hybrid scenarios.

  • It’s highly compatible with third-party apps and services for easy adoption and future-proofing.

  • Flexible licensing options are available to suit the demands of your organisation’s environment.

The complete guide to Microsoft Entra ID

Master Microsoft Identity. Grab your free 34-page guide and discover tools that:

  • Improve identity efficiency by 50%
  • Reduce data breach risk by 45%
tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Marcus Idle profile headshot


Marcus Idle

Marcus Idle is Kocho’s Head of External Identity. Marcus is passionate about bringing cloud and external identity to life to solve business problems for our clients.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.