Microsoft's Azure Active Directory is a cloud-based identity and access management service. With it, users can sign in and access external resources such as Office 365, the Azure portal, and other software as a service applications. Azure AD, of course, also allows users to access internal resources as well. Such resources include applications inside the corporate network and on the internet along with cloud applications that have been developed and deployed by your organization. Azure AD is used to control access to applications and resources according to business requirements. For example, Azure AD can be configured to require multi-factor authentication or MFA when a user needs access to important company resources. In addition, Azure AD can be used to automate user provisioning between an existing on-prem Windows server AD and corporate cloud applications like Office 365. With Azure AD, organizations have access to tools that can used to automatically help protect user identities and credentials which allows them to meet access governance requirements. Microsoft Online services like Office 365 and Microsoft Azure leverage Azure AD for sign-in and for identity protection. As such, an organization that subscribes to any of the Microsoft Online business services automatically gets at least the free version of Azure AD along with those services. 

Adding paid services to a tenant can enhance an Azure AD implementation. Such paid services include Azure Active Directory Basic, Azure Active Directory Premium 1, and Azure Active Directory Premium 2. These Azure AD paid licenses ride on top of an existing free directory, and they can provide additional services such as self-service, security reporting, enhanced monitoring, and secure access for mobile users. One thing to note, however, is that while all of these added features can add cool functionality and security, Azure Active Directory Basic, Azure Active Directory Premium 1, and Azure Active Directory Premium 2 are not currently supported in China. The free version of Azure Active Directory offers basic user and group management functionality and on-prem directory synchronization. It also offers basic reporting and single sign-on or SSO across Office 365, Microsoft Azure, and many popular SaaS applications. In addition to the free features available in the Azure AD Free version, Azure AD Basic provides cloud-centric application access as well as group-based access management. Other features included with the Basic version include self-service password reset for cloud apps and Azure AD Application Proxy which is a feature that allows you to publish on-prem web applications using Azure AD. Azure Active Directory Premium P1 offers quite a bit more than either Free or Basic. In addition to what those versions offer, Azure AD Premium P1 offers hybrid users access to both on-prem and cloud resources. Premium P1 also supports advanced administration tasks like self-service group management, dynamic groups, and it even integrates with Microsoft Identity Manager or MIM. Microsoft Identity Manager is an advanced, on-prem identity and access management solution. 

Azure AD Premium P1 also offers cloud write-back capabilities which are used to allow self-service password reset for your on-prem users. Azure Active Directory Premium P2 builds upon what is offered in the P1 edition by offering everything included in the Free, Basic, and P1 versions plus Azure Active Directory Identity Protection which helps provide risk-based conditional access to applications and critical company data. Azure AD Premium P2 also offers Privileged Identity Management or PIM which is useful for discovering, restricting, and monitoring administrators as well as their access to corporate resources. Privileged Identity Management also provides just-in-time access when it's needed, meaning access to resources can be limited to only those times when it's required and then be taken away automatically when the access is no longer needed. Other pay-as-you-go feature licenses such as Azure AD Business-to-Consumer are also available to assist with identity management. Azure AD B2C as it's called helps provide identity and access management solutions for customer-facing applications.