Dynamics 365 for Finance and Operations cloud deployment uses Azure AD for identity management and authentication. Microsoft Azure AD is a modern, cloud-based service that provides identity management and access control capabilities for your cloud applications. You can use Azure AD Connect to integrate and synchronize with an on-premises Windows AD and provide the Single Sign-On (SSO) functionality to the user and devices. The following diagram shows the high-level capabilities of Azure AD:

Cloud deployment of Dynamics 365 for Finance and Operations uses Azure AD and the SAML 2.0 (short for Security Assertion Markup Language) protocol for the authentication and authorization process. The following diagram depicts in five simple steps how this happens:

As shown in the preceding diagram, the authentication process happens in the following sequence:

1. The User logs on to Dynamics 365 for Finance and Operations using a browser. 
2. The user session gets redirected to the Azure AD login page for authentication. The user logs in to Azure AD using the user ID and password.
3. Azure AD authenticates the user and generates the SAML 2.0 token.
4. The user session gets redirected to Dynamics 365 for Finance and Operations with security tokens.
5. In the end, Dynamics 365 for Finance and Operations validates the security token, authorizes the user (if the user is registered as a valid user in the application), and displays the start page.

The on-premises deployment option uses AD FS for authentication and AD for identity management. The following diagram shows the authentication flow in on-premises deployment:

As shown in the preceding diagram, the authentication flow for on-premises deployment is similar to cloud deployment. The only difference is that for the cloud, Azure AD is used as an STS (short for Security Token Service) and identity provider, whereas for on-premises deployment, AD FS is used as the STS provider and AD as the identity provider.