As an IT admin we are always challenge with users trying to access the cloud resources from multiple devices and locations. We need to make sure that these devices meet our standards for security and compliance. Just focusing on who can access a resource is not enough anymore.

To balance security and productivity, we need to think about how a resource is accessed before we can make a decision about access control. With Azure AD Conditional Access, we can address this requirement. With Conditional Access, we can make automated access control decisions based on conditions for accessing your cloud apps.

Best practice: Manage and control access to corporate resources. I recommend configuring Azure AD Conditional Access based on a group, location, and application sensitivity for SaaS apps and Azure AD–connected apps.

Best practice: Block legacy authentication protocols. Attackers exploit weaknesses in older protocols every day, particularly for password spray attacks. Configure Conditional Access to block legacy protocols.

Self-Service Password Reset (SSPR) enables users to quickly get unblocked and continue working no matter where they are or the time of day. By allowing users to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.

Best practice: Set up self-service password reset (SSPR) for your users. Use the Azure AD self-service password reset feature.

Best practice: Monitor how or if SSPR is really being used. Monitor the users who are registering by using the Azure AD Password Reset Registration Activity report. The reporting feature that Azure AD provides helps you answer questions by using prebuilt reports. If you’re appropriately licensed, you can also create custom queries.

Best practice: Extend cloud-based password policies to your on-premises infrastructure. Detail: Enhance password policies in your organization by performing the same checks for on-premises password changes as you do for cloud-based password changes. Install Azure AD password protection for Windows Server Active Directory agents on-premises to extend banned password lists to your existing infrastructure. Users and admins who change, set, or reset passwords on-premises are required to comply with the same password policy as cloud-only users.

We live now in a mobile-first, cloud-first world and to simplify the authentication process it is recommended to enable single sign-on (SSO) to devices, apps, and services, allowing the users to access cloud resources from anywhere. The challenge we have seem with the end-users it’s that when you have multiple identity solutions to manage, this becomes an administrative problem not only for IT but also for users who have to remember multiple passwords. By using the same identity solution for all your apps and resources, you can achieve SSO. And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.

Best practice: Enable SSO. Azure AD extends on-premises Active Directory to the cloud. Users can use their primary work or school account for their domain-joined devices, company resources, and all of the web and SaaS applications that they need to get their jobs done. Users don’t have to remember multiple sets of usernames and passwords, and their application access can be automatically provisioned (or deprovisioned) based on their organization group memberships and their status as an employee. And you can control that access for gallery apps or for your own on-premises apps that you’ve developed and published through the Azure AD Application Proxy.

Organizations that don’t create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. These scenarios increase the likelihood of users reusing passwords or using weak passwords.