Conditional Access is the most important security feature you will configure in Azure AD. You need to get this right, or most other things don’t even matter.
Compared to on-premises AD, which requires line of sight to a domain infrastructure often limited to physical or VPN access, Azure AD is wide open by default. Users can authenticate from anywhere, on any device.