At this point, I want to give some credit to a very important child service of Azure AD. Azure AD conditional access is a very simple way to control and secure access to resources in the cloud and on premises. Azure AD conditional access is a premium feature in Azure AD. You can grade access, for example, by the following conditions:
- Group membership: Access based on group membership
- Location: Block controls when a user is not on a trusted network, or trigger MFA
- Device platform: Use the device platform (iOS, Android, Windows versions) to apply a policy
- Device-enabled: Device state (enabled or disabled) is validated during device policy evaluation
- Sign-in and user risk: Azure AD Identity Protection for conditional access risk policies
Azure AD conditional access is, for example, the only option to disable access for Azure through the public internet or based on network policies. Even private connections, such as Microsoft ExpressRoute, do not allow limiting access through a network. They always depend on conditional access through Azure AD.
The following screenshot shows you the overview page for Azure AD conditional access:
I would also recommend you consult the documentation to get a deeper look into the capabilities of this service: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview.