For most organizations, no. Microsoft Entra ID supports SAML 2.0, OIDC, and certificate-based authentication natively, which covers the majority of use cases that previously required ADFS. ADFS is still relevant for edge cases like on-premises claims-based applications that can't be migrated to modern authentication.
- What is Azure AD auth
- How it works
- Methods
- Security risks
- Monitoring
- FAQ
What is Azure AD authentication?
Microsoft Entra ID (previously Azure Active Directory) authentication is how Entra ID confirms that a user or service is who they claim to be before letting them into cloud resources. It's the front door to Microsoft 365, Azure, and every integrated SaaS application in your environment.
If you manage a hybrid or cloud-only directory, you need to understand how this works. Every sign-in attempt, whether it comes from a browser, a mobile app, or an automated service, flows through this platform. The protocols, methods, and policies you configure here decide who gets in, how they prove their identity, and what happens when something looks off.
How Azure AD authentication works
When a user or application requests access to a resource protected by Microsoft Entra ID, the resource redirects the request to the Microsoft identity platform endpoint. Entra ID checks the credentials, evaluates any Conditional Access policies that apply, and either issues tokens or blocks the attempt.
User authentication flow
A typical interactive sign-in follows this sequence:
- The user opens a protected application (for example, Outlook on the web or a third-party SaaS app).
- The application redirects the user to the Microsoft Entra ID authorization endpoint.
- The user provides credentials: a password, an MFA prompt, or a passwordless method like a FIDO2 security key.
- Entra ID validates the credentials and evaluates any Conditional Access policies (device compliance, location, sign-in risk).
- If validation passes, Entra ID issues an ID token (proving identity), an access token (granting resource access), and a refresh token (so the user isn't prompted again until it expires).
- The application validates the tokens and grants access.
Figure 1. Microsoft Entra ID user authentication flow showing credential validation, Conditional Access evaluation, and token issuance.
Service and application authentication flow
Applications and background services authenticate differently. Instead of interactive credentials, they use the OAuth 2.0 client credentials grant. A service registers in Entra ID, receives a client ID and client secret (or certificate), and exchanges those for an access token directly.
Managed identities for Azure resources remove the need to manage secrets at all. Azure handles credential rotation automatically.
Authentication protocols in Microsoft Entra ID
Entra ID supports four core protocols. Each one serves a different purpose, and the right choice depends on your application's architecture.
| Protocol | Purpose | Common use case |
|---|---|---|
| OAuth 2.0 | Authorization (delegated and application permissions) | API access, mobile apps |
| OpenID Connect (OIDC) | Identity verification built on OAuth 2.0 | Web app sign-in, single-page applications |
| SAML 2.0 | Federated SSO for enterprise apps | Third-party SaaS SSO |
| WS-Federation | Federated SSO (legacy) | Older on-premises applications |
SAML 2.0 and OIDC cover the majority of enterprise SSO scenarios. For most organizations, Active Directory Federation Services (ADFS) is no longer required because Entra ID handles federation natively. ADFS is still relevant in edge cases, such as on-premises claims-based applications that can't be migrated to modern authentication.
Authentication methods in Microsoft Entra ID
Entra ID gives you a range of authentication methods, from traditional passwords to fully passwordless options.
| Category | Methods |
|---|---|
| Password-based | Cloud password, password hash sync, pass-through authentication |
| Multi-factor authentication | Microsoft Authenticator (push/TOTP), SMS, voice call, OATH hardware tokens |
| Passwordless | FIDO2 security keys, Windows Hello for Business, Microsoft Authenticator (passwordless mode), certificate-based authentication |
Microsoft recommends moving toward passwordless and phishing-resistant methods. Certificate-based authentication (CBA) is now generally available in Entra ID, which removes the ADFS dependency that was previously required for certificate-based logon scenarios.
Conditional Access and risk-based authentication
Authentication methods verify identity. Conditional Access policies determine what happens after that. These policies evaluate contextual signals at the moment of sign-in: device compliance status, geographic location, sign-in risk level, and the sensitivity of the application being accessed.
Based on those signals, a policy can require MFA, grant access with restrictions, or block the sign-in entirely. This is how Zero Trust actually works in Entra ID. Access decisions happen per session based on real-time conditions, not just on whether the user typed a valid password.
On-premises AD vs. Microsoft Entra ID authentication
If you manage a hybrid environment, you're running two authentication systems side by side.
| Aspect | On-premises Active Directory | Microsoft Entra ID |
|---|---|---|
| Primary protocol | Kerberos (with NTLM fallback) | OAuth 2.0, OIDC, SAML 2.0 |
| Authentication target | Domain-joined devices and on-premises resources | Cloud apps, Azure resources, Microsoft 365 |
| MFA | Requires a third-party solution or NPS extension | Built-in MFA with multiple methods |
| Conditional Access | Not available natively | Built-in, policy-driven |
| SSO scope | Kerberos-based SSO within the domain | SSO across thousands of SaaS apps |
| Hybrid bridge | N/A | Azure AD Connect or Cloud Sync (password hash sync, pass-through authentication, federation) |
Most enterprises connect the two using Azure AD Connect or Cloud Sync. Password hash sync is the most common hybrid authentication method because it lets cloud sign-in work even if on-premises infrastructure goes down.
Security risks and attacks targeting Azure AD authentication
Authentication is the highest-value target in any identity system. Here are the attacks that hit Entra ID specifically, and what makes each one worth worrying about.
Password spray attacks try a handful of commonly used passwords against many accounts at once. Because the attacker spreads attempts across thousands of accounts, individual account lockout thresholds never trigger. Microsoft's threat intelligence team reported that password spray attacks account for more than a third of enterprise account compromises.
Credential stuffing uses username and password pairs leaked from breaches at other services. Users who reuse passwords across sites are the obvious targets.
Adversary-in-the-middle (AitM) phishing is harder to catch. The attacker sets up a proxy phishing page between the user and the real Entra ID sign-in page. The user enters credentials and completes MFA normally, but the proxy intercepts the session token.
This bypasses MFA entirely because the attacker walks away with a valid, already-authenticated token.
Legacy authentication abuse targets protocols like SMTP, IMAP, and POP3. These protocols don't support modern authentication or MFA, so any account that allows legacy authentication is exposed to credential attacks with nothing to stop them.
Token theft and replay happens when an attacker steals a valid refresh or access token from a compromised endpoint and replays it to access resources without re-authenticating. Because the token is already validated, no additional credential prompt fires.
Consent phishing (illicit consent grant) tricks a user into granting OAuth permissions to a malicious application. Once consent is granted, the attacker's app can read the user's email, files, and contacts without ever needing the user's password.
ADAudit Plus detects password spray attempts, sign-ins from anonymous or malicious IP addresses, and sign-ins using legacy authentication protocols, giving you early warning before credential compromise spreads.
Limitations of native Entra ID sign-in monitoring
The Entra admin center gives you sign-in logs, but relying on it as your primary monitoring tool has real gaps.
Sign-in logs are retained for 30 days max, even with Entra ID P1 or P2 licensing, unless you configure an export to Azure Monitor, a storage account, or a SIEM. If you need to investigate an incident that started five weeks ago, those logs are already gone.
There's no real-time alerting on individual sign-in events from the Entra admin center alone. To get alerts, you need to wire up Azure Monitor or Microsoft Sentinel, which adds configuration overhead and cost.
The admin center doesn't support scheduled report delivery either. If your compliance team needs a weekly sign-in summary, you're either exporting manually or building a Logic App or Power Automate flow to automate it. Risky sign-in details require Entra ID P2 licensing, so organizations on lower tiers have no visibility into risk-flagged events at all.
For hybrid environments, the biggest limitation is the lack of cross-platform correlation. Entra ID sign-in logs show cloud authentication events only. On-premises AD logon events (Kerberos, NTLM) live in a completely separate set of Security event logs on your domain controllers.
Investigating lateral movement that starts on-premises and moves to the cloud means switching between two consoles and manually correlating timestamps and user accounts. It's slow, and things get missed.
Monitoring Azure AD authentication with ADAudit Plus
What ADAudit Plus monitors in Entra ID
ADAudit Plus connects to your Microsoft Entra ID tenant and pulls sign-in and change data into the same console you use for on-premises AD auditing. Here's what it covers:
- Sign-in activity: every successful, failed, and risky sign-in event with geo-location, device information, MFA status, and Conditional Access result. Navigate to Cloud Directory > User Logon Reports > Logon Activity.
- Legacy authentication sign-ins: a dedicated report showing sign-ins that used older protocols (SMTP, IMAP, POP3) bypassing MFA. Navigate to Cloud Directory > User Logon Reports > Logon Activity by Legacy Authentication.
- Risk detection: pre-built reports for password spray attempts, impossible travel detections, anonymous IP sign-ins, malicious IP sign-ins, and leaked credential alerts. Navigate to Cloud Directory > Risk Detection.
- MFA usage and failures: reports showing which users signed in with MFA enabled, which methods they used, and which sign-ins failed due to MFA. Navigate to Cloud Directory > Logon Activity By MFA.
- Conditional Access policy changes: see when Conditional Access policies are created, modified, or deleted, and who made the change. Navigate to Cloud Directory > Conditional Policy Changes.
- User, group, role, device, and application changes: full change auditing across your Entra ID tenant, including OAuth permission grants and consent events. Navigate to Cloud Directory sections for User Management, Group Management, Role Management, Device Management, and Application Management.
Native Entra ID monitoring vs. ADAudit Plus
| Capability | Native Entra admin center | ADAudit Plus |
|---|---|---|
| Sign-in log retention | 30 days (P1/P2 without export) | Unlimited archival with scheduled exports |
| Real-time alerts on sign-in events | Requires Azure Monitor or Sentinel setup | Built-in alert profiles with email and SMS delivery |
| Scheduled report delivery | Not available natively | Automated daily, weekly, or monthly report delivery via email |
| Hybrid AD + Entra ID correlation | Separate consoles | Single console correlating on-premises and cloud logon events |
| Legacy authentication detection | Available but requires manual log filtering | Dedicated pre-built report |
| Risk detection | Requires Entra ID P2 license | Included with Entra ID auditing module |
A one-stop solution for all your IT auditing, compliance, and security needs
Try ADAudit Plus free for 30 days. No credit card required.
FAQ
Both. SAML 2.0 handles federated SSO with enterprise applications. OAuth 2.0 (with OpenID Connect) handles modern web and mobile app authentication.
The protocol depends on what the application needs.
Authentication verifies identity (who you are). Authorization determines access (what you can do). Microsoft Entra ID handles authentication through the sign-in process.
Authorization is enforced through role assignments, Conditional Access policies, and application permissions.
Something you know (password), something you have (phone, security key), and something you are (biometrics). Entra ID MFA combines at least two of these factors during sign-in.
Experience
ADAudit Plus for free
With ADAudit Plus, you can:
- Monitor Entra ID sign-ins
- Retain logs beyond 30 days
- Track role and policy changes
- Generate ready-made compliance reports
- And much more
