Azure Active Directory (Azure AD) is the identity platform for Microsoft cloud services and the standard enterprise identity provider for cloud-native applications. The 2019 feature set covers most enterprise identity scenarios.
Conditional Access policies
Conditional Access is Azure AD's policy engine for access control decisions. Policies evaluate context, user, device, location, application, real-time risk, and enforce controls: require MFA, require compliant device, block access. A policy requiring MFA for all administrators, for all applications, from all locations, eliminates the single largest attack vector (compromised admin credentials). Conditional Access is the mechanism through which zero-trust access control is implemented for Azure AD-integrated applications.
Managed identities for Azure services
Managed identities eliminate credential management for Azure service-to-service authentication. An Azure VM, Azure Functions app, or AKS pod with a managed identity can authenticate to Azure services (Key Vault, Storage, SQL) without storing any credentials. The identity is managed by Azure AD: the token is automatically rotated, and there is no credential to leak. All Azure services that can host code should use managed identities rather than service principal secrets for Azure resource access.
Application registrations and enterprise apps
An App Registration in Azure AD defines an application's identity: its OAuth2 scopes, redirect URIs, and client credentials. The Enterprise App (service principal) is the instance of the app registration in a specific tenant, controlling which users can access it and what permissions it has. Multi-tenant applications (apps accessed by users from multiple organisations) use App Registrations in the publishing tenant; each accessing tenant gets an Enterprise App created on first consent.
B2C for customer identity
Azure AD B2C provides customer identity and access management (CIAM) for consumer-facing applications. B2C supports local accounts (username/password), social identity providers (Google, Facebook, Apple), and custom identity providers. The user journeys (sign-up, sign-in, password reset, profile edit) are customisable via user flow policies or custom policies (the Identity Experience Framework). B2C scales to millions of external users with independent management from the corporate Azure AD tenant.