Once again ... (how many times do we have to shout this?)
"Azure AD users can ditch typed-in passwords altogether, and instead use things like biometrics (facial recognition and fingerprints)"
Biometrics should never be used as authenticators not least because:
 an authenticator is some form of shared secret but biometrics by definition are not secret as you carry them around in plain view and leave some of them behind wherever you've been;
 an authenticator must be amenable to being rescinded, but you can't rescind a biometric (short of "rubbing out" the party concerned);
 a single authenticator should not be used for multiple incompatible purposes, but you'll soon run out of alternatives for different purposes if biometrics are used.
The only valid use of a biometric is as an identifier. Authentication is the second phase after identification and should use something that complies with the above principles.
Quite apart from which, current "biometric authentication" systems don't actually use biometrics despite being tied to them. They use grossly simplified digests of them translated into numeric form. Such systems can be breached in many ways via compromise of the digest.