Azure Active Directory is a very complex and feature-rich service. In this lesson, we’ll go over a few of its notable features.

Since most organizations are constantly under threat from hackers trying to gain access to their resources, Microsoft provides a feature called Identity Protection. It performs automated risk detection by looking for signs of an intrusion attempt. It looks for things like users logging in from anonymous IP addresses or from unexpected locations. It also looks for things like “password spray”, which is where an attacker tries the same password on many accounts. You can configure Identity Protection so that when it detects these types of risky login attempts, it automatically takes an action, such as requiring multifactor authentication or blocking the login attempt.

Alternatively, you could turn off the automated remediation feature and investigate the detected risks manually. Or, if you have your own security information and event management (or SIEM) system, then you could export the risk detection data to it and deal with the identity risks using that tool.

While it’s important to try to prevent hackers from gaining access to regular user accounts, it’s especially important to prevent them from accessing administrator accounts because those accounts have privileged access. To help with this, Microsoft offers the Privileged Identity Management (or PIM) service. Another reason to use PIM is to help prevent legitimate administrators from accidentally causing issues.

PIM focuses on restricting administrator access to only the people who need it, putting extra requirements in place before administrators can perform privileged actions, and keeping an audit trail of what administrators have done.

One way to ensure that only the people who truly need administrator privileges have them is to conduct access reviews. This requires managers to review the list of administrators on a regular basis.

To control the use of administrator accounts, PIM provides just-in-time access. Here’s how it works. Certain users are designated as eligible to perform administrator tasks but don’t have those permissions all the time. If an eligible user needs to perform an administrator task, then they have to request activation of an elevated role.

At this point, several different things could happen depending on how you configure it. First, the user might have to perform multifactor authentication. Then they have to enter a reason for the activation request. Finally, if the role requires activation approval, then they’ll have to wait for an approver to activate their role. This activation will only last for a limited amount of time, so after the activation expires, they’ll have to go through the same process again.

As you can see, the combination of access reviews, just-in-time access, and an audit trail provides pretty tight control over administrator accounts.

So far, we’ve only been talking about users in your own organization, but what if you need to provide people outside of your organization with guest access. Azure AD has a feature called External Identities that takes care of that. It’s commonly used for working with partners, suppliers, and customers. It allows external users to "bring their own identities." They log into a separate identity provider first and can then gain guest access to some of your applications. This separate identity provider could be their organization’s own identity system or a social platform such as Facebook or Google.

The External Identities feature includes three components: B2B collaboration, B2B direct connect, and Azure AD B2C. With B2B (or business-to-business) collaboration, external users are represented in your Azure AD directory as guest users.

With B2B direct connect, you establish a mutual trust relationship with another Azure AD organization. This means external users aren't represented in your directory because your directory trusts identities in their directory. B2B direct connect currently supports only Microsoft Teams shared channels.

With Azure AD B2C (or business-to-consumer), you can publish your own consumer-facing applications and give your customers access to them. Azure AD B2C is actually a separate service that’s built on the same technology as Azure AD.

There are plenty of other features available in Azure AD, but the ones we’ve covered in this video are some of the most important ones.