This section of the standard is looking for your organisation to have the right controls in place to manage systems that require a password in order to authenticate.
For the first control A7.10, be it you have an on-prem setup or Azure or anything else, you should already have some controls in place such as:
To manage the quality of the passwords you could implement a deny list via your on-prem AD or via EntraID
A7.12 requires your organisation to be more proactive around the passwords of your users, so in this case what are you currently doing? Are you sending your users emails regularly informing them about how to configure a strong password maybe aligned with the guidance from NCSC with 3 random words? Do you have a training module for this? What else are you doing?
A7.13 requires that you have a password policy in place and that it includes a process that is completed in case an account was compromised.
A7.14 - A7.17 - this set of controls are around the configuration of your cloud services that your organisation uses. In the case of cloud services that do not support MFA you should list them under A7.15. My advise is to use services where SSO is supported that way you simplify the process of configuration including onboarding and offboarding.
<aside> ❗ In case of a cloud service that supports MFA or SSO at a higher tier you are required to upgrade to ensure that the cloud service has MFA setup.
</aside>