Azure Active Directory - Premium Features

--- Always check the Official Resources for the latest updates ---

Azure Active Directory Comparison - Link

Azure Active Directory Documentation - Link


Advanced group features
Manage access to resources with Azure Active Directory groups - Link
Manage licensing in Azure Active Directory- Link
Add groups to organize users and devices - Link
Create a group and add members in Azure Active Directory - Link
Manage access to resources with Azure Active Directory groups - Link
How To - Dynamic Group Membership in Azure Active Directory (Part 1) - Link - (Part 2) - Link

Self-service Password Reset/Change/Unlock with on-premises writeback
Quickstart - Self-service password reset - Link
Azure AD self-service password reset - Link
How to successfully roll out self-service password reset - Link
How-to: Configure password writeback - Link
Tutorial: Complete an Azure AD self-service password reset pilot roll out - Link

Device objects two-way synchronisation between on-premises directories and Azure AD (Device write-back) - Link
This provides additional security and assurance that access to applications is granted only to trusted devices.

Multi-Factor Authentication - Link
Deploy cloud-based Azure Multi-Factor Authentication - Link
Configure Azure Multi-Factor Authentication settings - Link

Cloud App Discovery - Link
- Discover applications in use and measure usage by number of users, volume of traffic or number of web requests to the application.
- Identify the users that are using an application
- Export data for addition offline analysis.
- Prioritize applications to bring under IT control and integrate applications easily to enable Single Sign-on and user management.

Connect Health - Link
Monitor your on-premises identity infrastructure and synchronization services in the cloud

Automatic password rollover for group accounts - Link
The feature, which is designed to work with services such as Facebook, LinkedIn and Twitter, will permit single sign-on access by end users to an organization's social media account. Once the feature is enabled, it will automatically generate "strong" passwords that these end-users don't have to remember. A 16-character password gets randomly generated by the Azure AD service at each rollover time and it gets changed by the service automatically.

Conditional access based on group and location - Link
- Conditional Access - Link
- Conditional Access Documents - Link
- What is the location condition in Azure Active Directory conditional access? - Link

Conditional access based on device state (Allow access from managed devices) Link
- Conditional Access - Link
- Conditional Access Documents - Link
- How To: Require managed devices for cloud app access with conditional access - Link

Third-party identity governance partners integration - Link
Azure Active Directory also provides single sign-on to thousands of SaaS applications and on-premises web applications.
Supported Apps - Link

Terms of Use - Link
How to - Link

Azure AD Terms of use enables you to do the following:
- Require employees or guests to agree to your Terms of use before getting access.
- Present general Terms of use for all users in your organization.
- Present specific Terms of use based on a user attributes (ex. doctors vs nurses or domestic vs international employees, by using dynamic groups).
- Present specific Terms of use when accessing high business impact applications, like Salesforce.
- Present Terms of use in different languages.
- List who has or hasn't agreed to your Terms of use.
- Display an audit log of Terms of use activity.

SharePoint Limited Access - Link
How to - Link
Allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.

OneDrive for Business Limited AccessLink
How to - Link
Allow access to SharePoint and OneDrive from an unmanaged device by granting browser-only access with download, print, and sync disabled. Users can stay productive, and you can be assured that when they sign off, no data is leaked onto the unmanaged device.

Identity protection - P2 only - Link
- Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to:
- Detect potential vulnerabilities affecting your organization’s identities
- Configure automated responses to detected suspicious actions that are related to your organization’s identities
- Investigate suspicious incidents and take appropriate action to resolve them

Privileged Identity Management - P2 only - Link
See which users are assigned privileged roles to manage Azure resources (Preview), as well as which users are assigned administrative roles in Azure AD
Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune, and to Azure resources (Preview) of subscriptions, resource groups, and individual resources such as Virtual Machines
See a history of administrator activation, including what changes administrators made to Azure resources (Preview)
Get alerts about changes in administrator assignments
Require approval to activate Azure AD privileged admin roles (Preview)
Review membership of administrative roles and require users to provide a justification for continued membership

Third-party MFA partner integration (Preview) - Link

Access reviews - P2 only - Link
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and privileged role assignments.

Microsoft Cloud App Security integration - Link
Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Access and session policies are utilized within the Cloud App Security portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can:
- Block on download:
- Protect on download:
- Monitor low-trust user sessions:
- Block access:
- Create read-only mode:
- Restrict user sessions from non-corporate networks:

Azure Active Directory Join – Windows 10-only features Link

Azure AD Join - Link

Desktop SSO Link

Windows Hello for Azure AD - Link

Administrator Bitlocker recovery - Link

MDM auto-enrolment - Link

Self-service Bitlocker recovery - Link

Additional local administrators to Windows 10 devices via Azure AD Join - Link

Enterprise State RoamingLink
- Step-by-Step guide to add Additional Local Administrators to Azure AD Joined Devices - Link


Unofficial Resources - Info, Tips and Tricks

Infographic comparison of Azure AD Plans - Link - April 2017