[KronisLV]

> And why do you need to control people’s laptop login? That can be local.

Some organizations might want to ensure that your account follows certain policies in regards to the password expiry dates or how "secure" they are.

Furthermore, if you leave an organization, they might want to remove all of your access credentials to all of the linked platforms/devices in one fell swoop.

While you are in the organization, they might want to allow you to use certain pieces of software (say, GitLab, Nextcloud, Mattermost, anything that talks LDAP) by giving you a particular group membership, such as everything for PROJECT_X/CLASS_X and so on.

Similarly, when a certain platform requires user credentials, they might also want to explicitly allow this platform to integrate with their account management software, by giving it certain credentials to talk to the AD server, which can later be revoked.

Oh, and password resets are also nice to centralize, in case you ever screw up.

Sometimes their hand might also be forced due to compliance reasons: imagine Google basically owning your company and information about all of the accounts/devices due to them having the actual data.

[hirako2000]

The argument is that because so much is now cloud services in the browser, it makes centralised AD far less holistic hence better assess the cloud services settings for compliance. There is some truth and risk in that, go reset the password of those 3 services not supporting SSO. Reality about security is to deal with the admin trouble, MS isn't removing processes, education, trust, and their costs, it likes to give the impression that it does hence asking you money for removing the difficult invonvenience of actual security needs