Comprehensive solution for Identity and Access management. Easy to integrate with third-party services like AWS, Google, etc.. Conditional Access is another great functionality to control who and under what condition gets access to your infrastructure.

You can skip to the last paragraph if you're on a hurry.

It's convoluted. To operate, configure, and diagnose. Much more than it needs to be.

It charges for support, as if we were just born "knowing Azure." This would be unacceptable even if they it had good documentation since presumably Azure us to use it, right? But it does not have good documentation; it's as convoluted as the platform itself, and a lot seems purposely omitted, with a slight aftertaste of insidious intent.

Additionally, it's a dog fight for who gives you the best support — heads up: no one — where you'll end up in an email chain with A DOZEN or so agents in the race for who's the most suffocating, all insisting on a videocall. They, BTW, can't do anything useful. Their MO consists mostly on not giving you proper answers but rather support links to the bad documentation which you may already have found on your own, or they'll give you PowerShell cmdlets at the most. Good luck if you haven't figured out how to connect to Azure from PowerShell. Then it turns into another support nightmare: they'll relentlessly nag you to rate them. Even if they did nothing useful, time (tracked by some sort of CRM, I assume) tells them you should be dealt with by then so they'll come collecting. Much like in Microsoft's old Technet or Q&A sites.

It continues to upsell, in other words advertise, within your admin console. Screen real estate that could be used for your services paid, is used to show ads. To show what over-engineered feature could be there if you just paid a little more …per user …per month. Remember that Keycloak can do for free what Azure, Okta and the other authentication vultures do. It's just OpenID Connect for the most part.

No privacy. The very first thing the privacy thing and marketing say is that it "respects your privacy," and throw in words like "committed," they all say that. Continue reading just a little more and you'll likely find within the same paragraph that claim to be invalidated.

If you install the Azure AD Sync-something, i.e. the sync agent, or its latest equivalent, by default it installs and enables some Health thing that automatically starts uploading information from the system it runs on. You need to disable the local system service and opt out in the console. Even if you opt out, the agent appears to have no issues uploading stuff, so the veracity of those controls is questionable. If you wanted to use/view that information, you can't. It's now Microsoft's information, not yours. You need to pay for additional services to view the information that will be collected regardless. You can do without the agent but it's also how you get the PowerShell cmdlets installed, and it saves so much setup work. You can forbid the server to connect after the first sync though, as you should with any Microsoft system in a network.

Unless you have top tier billing, your users will know you are using a third party service, branding costs extra.

One way, and the only way IMO, Azure should be deployed is federated; where it redirects to your own server when a user enters a recognized domain. You still see some Azure pages but authentication will happen on your own servers. It's how you can get the most control over it, and how it gets the least amount of information from you. You will still have to run a limited scope syncs from the agent to send the users each time the user list is augmented. Not so much when it's reduced (i.e. users deleted) as your servers will just reject it.

It's not as useful as it makes itself be. As mentioned, federated is the best way to use Azure, but service providers may support federation directly too. So no need for AAD at all. Where it's useful is for those providers that don't support standards but support proprietary integrations, because in those you can chain link authentication to Azure, and then have Azure to federate with your ADFS, Keycloak, Casdoor, or other SAML IdP. Personally, I use it with ManageEngine's MDM Plus service and password hash sync (with a very tight scope) so I don't need to keep servers online.

To sum up, the only saving feature it has is its federation capabilities. Be warned, if you federate a domain and lose access to the account/tenant that originally made the federation (such a throwaway testing account) your domain gets locked up in that account, never mind that validation is done through DNS. The useless support will be just that: useless. Lastly, keep in mind that by using MFA you'll be surrendering phone numbers, location (if using the mobile app or at least from IP address), along with so much explicitly identifiable information of your whole organization to Azure, which has had security incidents, and seems to be always at the forefront of GDPR-like violations.