Frequently asked questions about Azure Active Directory

Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution that spans all aspects of identity, access management, and security.

For more information, see What is Azure Active Directory?.

Access Azure and Azure Active Directory

Why do I get "No subscriptions found" when I try to access Azure AD in the Azure portal?

To access the Azure portal, each user needs permissions with an Azure subscription. If you don't have a paid Microsoft 365 or Azure AD subscription, you will need to activate a free Azure account or a paid subscription.

For more information, see:

What's the relationship between Azure AD, Microsoft 365, and Azure?

Azure AD provides you with common identity and access capabilities to all web services. Whether you are using Microsoft 365, Microsoft Azure, Intune, or others, you're already using Azure AD to help turn on sign-on and access management for all these services.

All users who are set up to use web services are defined as user accounts in one or more Azure AD instances. You can set up these accounts for free Azure AD capabilities like cloud application access.

Azure AD paid services like Enterprise Mobility + Security complement other web services like Microsoft 365 and Microsoft Azure with comprehensive enterprise-scale management and security solutions.

What are the differences between Owner and Global Administrator?

By default, the person who signs up for an Azure subscription is assigned the Owner role for Azure resources. An Owner can use either a Microsoft account or a work or school account from the directory that the Azure subscription is associated with. This role is authorized to manage services in the Azure portal.

If others need to sign in and access services by using the same subscription, you can assign them the appropriate built-in role. For more information, see Assign Azure roles using the Azure portal.

By default, the person who signs up for an Azure subscription is assigned the Global Administrator role for the directory. The Global Administrator has access to all Azure AD directory features. Azure AD has a different set of administrator roles to manage the directory and identity-related features. These administrators will have access to various features in the Azure portal. The administrator's role determines what they can do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains. For additional information on Azure AD directory admins and their roles, see Assign a user to administrator roles in Azure Active Directory and Assigning administrator roles in Azure Active Directory.

Additionally, Azure AD paid services like Enterprise Mobility + Security complement other web services, such as Microsoft 365 and Microsoft Azure, with comprehensive enterprise-scale management and security solutions.

Is there a report that shows when my Azure AD user licenses will expire?

No. This isn't currently available.

Get started with Hybrid Azure AD

How do I leave a tenant when I'm added as a collaborator?

When you are added to another organization's tenant as a collaborator, you can use the "tenant switcher" in the upper right to switch between tenants. Currently, there is no way to leave the inviting organization, and Microsoft is working on providing this functionality. Until this feature is available, you can ask the inviting organization to remove you from their tenant.

How can I connect my on-premises directory to Azure AD?

You can connect your on-premises directory to Azure AD by using Azure AD Connect.

For more information, see Integrating your on-premises identities with Azure Active Directory.

How do I set up SSO between my on-premises directory and my cloud applications?

You only need to set up single sign-on (SSO) between your on-premises directory and Azure AD. As long as you access your cloud applications through Azure AD, the service automatically drives your users to correctly authenticate with their on-premises credentials.

Implementing SSO from on-premises can be easily achieved with federation solutions such as Active Directory Federation Services (AD FS), or by configuring password hash sync. You can easily deploy both options by using the Azure AD Connect configuration wizard.

For more information, see Integrating your on-premises identities with Azure Active Directory.

Does Azure AD provide a self-service portal for users in my organization?

Yes, Azure AD provides you with the Azure AD Access Panel for user self-service and application access. If you are a Microsoft 365 customer, you can find many of the same capabilities in the Office 365 portal.

For more information, see Introduction to the Access Panel.

Does Azure AD help me manage my on-premises infrastructure?

Yes. The Azure AD Premium edition provides you with Azure AD Connect Health. Azure AD Connect Health helps you monitor and gain insight into your on-premises identity infrastructure and the synchronization services.

For more information, see Monitor your on-premises identity infrastructure and synchronization services in the cloud.

Password management

Can I use Azure AD password write-back without password sync? (In this scenario, is it possible to use Azure AD self-service password reset (SSPR) with password write-back and not store passwords in the cloud?)

You do not need to synchronize your Active Directory passwords to Azure AD to enable write-back. In a federated environment, Azure AD single sign-on (SSO) relies on the on-premises directory to authenticate the user. This scenario does not require the on-premises password to be tracked in Azure AD.

How long does it take for a password to be written back to Active Directory on-premises?

Password write-back operates in real time.

For more information, see Getting started with password management.

Can I use password write-back with passwords that are managed by an admin?

Yes, if you have password write-back enabled, the password operations performed by an admin are written back to your on-premises environment.

For more answers to password-related questions, see Password management frequently asked questions.

What can I do if I can't remember my existing Microsoft 365/Azure AD password while trying to change my password?

For this type of situation, there are a couple of options. Use self-service password reset (SSPR) if it's available. Whether SSPR works depends on how it's configured. For more information, see How does the password reset portal work.

For Microsoft 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.

For Azure AD accounts, admins can reset passwords by using one of the following:


Are accounts locked after a specific number of failed attempts or is there a more sophisticated strategy used?

We use a more sophisticated strategy to lock accounts. This is based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it is an attack.

Certain (common) passwords get rejected with the messages 'this password has been used to many times', does this refer to passwords used in the current active directory?

This refers to passwords that are globally common, such as any variants of "Password" and "123456".

Will a sign-in request from dubious sources (botnets, tor endpoint) be blocked in a B2C tenant or does this require a Basic or Premium edition tenant?

We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C tenants.

Application access

Where can I find a list of applications that are pre-integrated with Azure AD and their capabilities?

Azure AD has more than 2,600 pre-integrated applications from Microsoft, application service providers, and partners. All pre-integrated applications support single sign-on (SSO). SSO lets you use your organizational credentials to access your apps. Some of the applications also support automated provisioning and de-provisioning.

For a complete list of the pre-integrated applications, see the Active Directory Marketplace.

What if the application I need is not in the Azure AD marketplace?

With Azure AD Premium, you can add and configure any application that you want. Depending on your application's capabilities and your preferences, you can configure SSO and automated provisioning.

For more information, see:

How do users sign in to applications by using Azure AD?

Azure AD provides several ways for users to view and access their applications, such as:

  • The Azure AD access panel
  • The Microsoft 365 application launcher
  • Direct sign-in to federated apps
  • Deep links to federated, password-based, or existing apps

For more information, see End user experiences for applications.

What are the different ways Azure AD enables authentication and single sign-on to applications?

Azure AD supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.

For more information, see:

Can I add applications I'm running on-premises?

Azure AD Application Proxy provides you with easy and secure access to on-premises web applications that you choose. You can access these applications in the same way that you access your software as a service (SaaS) apps in Azure AD. There is no need for a VPN or to change your network infrastructure.

For more information, see How to provide secure remote access to on-premises applications.

How do I require multi-factor authentication for users who access a particular application?

With Azure AD Conditional Access, you can assign a unique access policy for each application. In your policy, you can require multi-factor authentication always, or when users are not connected to the local network.

For more information, see Securing access to Microsoft 365 and other apps connected to Azure Active Directory.

What is automated user provisioning for SaaS apps?

Use Azure AD to automate the creation, maintenance, and removal of user identities in many popular cloud SaaS apps.

For more information, see Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory.

Can I set up a secure LDAP connection with Azure AD?

No. Azure AD doesn't support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. However, it's possible to enable Azure AD Domain Services (Azure AD DS) instance on your Azure AD tenant with properly configured network security groups through Azure Networking to achieve LDAP connectivity. For more information, see Configure secure LDAP for an Azure Active Directory Domain Services managed domain