Azure AD does not use LDAP calls to query the directory. Rather it uses Microsoft graph API to query objects and their properties. PowerShell module to interact with Azure AD is “AzureAD”.
Similar to group concept in Active Directory DS, Azure AD offers two types of memberships when creating group: assigned and dynamic. For a group having assigned membership, we need to manually add/remove users. For dynamic membership (needs at least Azure AD P1), users can be added/removed based on the property like enabled/location/department etc. Checkout this documentation for more details on dynamic membership. Licenses can also be assigned to the groups. So a combination of Dynamic group membership + Group based license assignment can save a lot of time.
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Directory isolation is possible in Azure AD by creating a new directory in Azure AD (just like creating a new Azure resource). From Azure portal > Create a resource > Azure Active Directory. Account that creates the new directory becomes its sole owner. Owner will also be the only user which is created by default in the new directory (as a source “External Active Directory”). Azure takes care of the federation and trust between the directories.
The newly created directory does not have any subscriptions by default just like a new Azure account. We can also switch directory on an existing subscription but refer to the documentation below for more details. Even any existing resources in the subscription will move to the new directory (without any RBAC roles of course).
https://docs.microsoft.com/en-us/azure/role-based-access-control/transfer-subscription
Azure AD B2C: Create a tenant for Customer facing applications so that customer accounts on your website are completely isolated from internal users. It also offers additional features like company branding, Authenticating with google/Facebook/other social media accounts so that customer onboarding is easier.
Password resets on premises AD can be synced to Azure AD using AD connect tool. Passwords can also be reset on Azure AD directly using SSPR (self service password reset). SSPR needs at least Azure AD P1 license. If the new password needs to be synced back to on prem directory, we need to set password writeback in AD connect (needs at least P1 license).
Check the below link to know more about SSPR and password writeback.
For the end users, it is more convenient to remember the below URL and access all the apps that they have access to. Admins should also check this page as and when a new application is registered to Azure AD.
Similar to joining a device to an Active Directory domain, devices can be joined to Azure AD. Those devices are referred as Azure AD joined. We can have full control on these devices with MDM (Mobile Device Management) solutions like Intune.
When an email account is configured on a smartphone, such devices are registered to Azure AD. For these registered devices there is very little control as admins (using Office 365 MDM).
For some Azure objects (like VM), an object ID is created in Azure AD. This object ID can be assigned permissions to access other Azure resources. For Ex. code running on Azure VM can have access to add new secrets to key vault. Check identity blade on the Azure resource to see if they support Managed identity where the authentication part is taken care by Azure.