Besides communicating within a cluster, you may need to allow authorized users to exchange messages with individual nodes. In fact, this is cover by similar security options as node-to-node security—here you can choose between certificates and Active Directory (AD) security. What is the advantage of using AD in that scenario? There is one very important aspect—in most cases, you do not want to share certificates with your client (this could also be cumbersome with a large number of them). AD security can be set in the ARM template by providing additional options:

"azureActiveDirectory": {  "tenantId": "<guid>",  "clusterApplication": "<guid>",  "clientApplication": "<guid>"}