With multi-factor authentication, we've seen a marked decrease in the number of threats we've seen come through
What is our primary use case?
We use it for all of our internal colleagues. Every single user is synced from our internal on-prem directory to Azure AD. Every single user has a presence in Azure AD and that account or identity is then used for at least 10 to 15 different applications. They directly query what groups they're a member of within Azure AD. We use Azure AD for at least 15 different applications.
Pros and Cons
"Being able to use Azure AD means that you can use some of the Azure AD security features like Advanced Password Protection. As well as querying your normal password requirements like lengths and complexity, Azure AD has a feature in which you can put specific words. It can be words to do with your company, words to do with your company location, or words that a lot of your employees would otherwise use. You can disallow them. It's very good at making more obvious passwords, ones they're not allowed to use anymore. That's a good feature."
"The conditional access rules are a little limiting. There's greater scope for the variety of rules and conditions you could put in that rules around a more factual authentication for other users. If you have an Azure AD setup, you can then connect to other people's Azure AD, but you don't have a huge amount of control in terms of what you can do. Greater control over guest users and guest access would be better. It's pretty good as it is but that could be improved."
What other advice do I have?
My advice would be to talk to Microsoft or a partner of Microsoft who will deploy it for you. You can do it yourself, it is absolutely possible but seek advice. Because the more users you sync into Azure, the more you have to pay for their licenses and not everybody has to be using Azure. Sync only accounts you need to, but in all cases, I would seek advice from a Microsoft partner or Microsoft themselves. They'll be able to talk through what you actually need, what you require, and then the best way to implement that. Whether that's syncing your entire user base or whether that's syncing a…