Azure Authentication Methods

Authentication is the process of establishing the identity of a person, service, or device. It requires the person, service, or device to provide some type of credential to prove who they are.
Azure supports multiple authentication methods, including standard passwords, single sign-on (SSO), multifactor authentication (MFA), and passwordless.
Passwordless authentication is high security and high convenience
Passwords are low security but high convenience.
MFA are high security but low convenience

Single sign-on

Single sign-on (SSO) enables a user to sign in one time and use that credential to access multiple resources and applications from different providers. For SSO to work, the different applications and providers must trust the initial authenticator.
With SSO, you need to remember only one ID and one password. Access across applications is granted to a single identity that's tied to the user, which simplifies the security model
As users change roles or leave an organization, access is tied to a single identity. This change greatly reduces the effort needed to change or disable accounts.

Multifactor authentication is the process of prompting a user for an extra form (or factor) of identification during the sign-in process.
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate. These elements fall into three categories:
- Something the user knows – this might be a challenge question.
- Something the user has – this might be a code that's sent to the user's mobile phone.
- Something the user is – this is typically some sort of biometric property, such as a fingerprint or face scan.
Multifactor authentication increases identity security by limiting the impact of credential exposure (for example, stolen usernames and passwords).
Azure AD Multi-Factor Authentication is a Microsoft service that provides multifactor authentication capabilities. Azure AD Multi-Factor Authentication enables users to choose an additional form of authentication during sign-in, such as a phone call or mobile app notification.

Passwordless authentication methods are more convenient because the password is removed and replaced with something you have, plus something you are, or something you know.
Passwordless authentication needs to be set up on your device and you need to provide something you know or are (PIN, fingerprint)
Microsoft global Azure and Azure Government offer the following three passwordless authentication options that integrate with Azure Active Directory (Azure AD):
- Windows Hello for Business
- Microsoft Authenticator app
- FIDO2 security keys

Windows Hello for Business is ideal for information workers that have their own designated Windows PC.
The biometric and PIN credentials are directly tied to the user's PC, which prevents access from anyone other than the owner.
With public key infrastructure (PKI) integration and built-in support for single sign-on (SSO), Windows Hello for Business provides a convenient method for seamlessly accessing corporate resources on-premises and in the cloud.

You can also allow your employee's phone to become a passwordless authentication method.
The Authenticator App turns any iOS or Android phone into a strong, passwordless credential.

Fast Identity Online (FIDO) is an open standard for passwordless authentication.
FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password by using an external security key or a platform key built into a device.
Users can register and then select a FIDO2 security key at the sign-in interface as their main means of authentication. These FIDO2 security keys are typically USB devices, but could also use Bluetooth or NFC.
With a hardware device that handles the authentication, the security of an account is increased as there's no password that could be exposed or guessed.
FIDO2 is the latest standard that incorporates the web authentication (WebAuthn) standard.