ExpertHard1 markMultiple Choice
AZ-305 · Question 07 · Domain 1.2: Authentication and Authorization
A global manufacturing company with 20,000 employees uses an on-premises Active Directory Domain Services (AD DS) environment. They are migrating to Microsoft 365 and Azure.
The Chief Security Officer (CSO) mandates the following identity requirements:
- Users must use the same password on-premises and in the cloud.
- Authentication to cloud services must be evaluated against on-premises Active Directory password policies (e.g., time restrictions, account lockout) in real-time.
- Passwords (even in hashed form) must NEVER be synchronized to or stored in the cloud.
- The solution must support high availability.
Which hybrid identity authentication method should you design?
A global manufacturing company with 20,000 employees uses an on-premises Active Directory Domain Services (AD DS) environment. They are migrating to Microsoft 365 and Azure.
The Chief Security Officer (CSO) mandates the following identity requirements:
- Users must use the same password on-premises and in the cloud.
- Authentication to cloud services must be evaluated against on-premises Active Directory password policies (e.g., time restrictions, account lockout) in real-time.
- Passwords (even in hashed form) must NEVER be synchronized to or stored in the cloud.
- The solution must support high availability.
Which hybrid identity authentication method should you design?
Answer options:
A.
Pass-through Authentication (PTA) with multiple Authentication Agents.
B.
Password Hash Synchronization (PHS) with Seamless SSO.
C.
Active Directory Federation Services (AD FS) with a single server.
D.
Azure AD Domain Services (Azure AD DS).
How to approach this question
Focus on the constraint: 'Passwords (even in hashed form) must NEVER be synchronized'. This eliminates PHS. Real-time on-prem evaluation points to PTA or AD FS. High availability requires multiple agents.
Full Answer
A.Pass-through Authentication (PTA) with multiple Authentication Agents.✓ Correct
Pass-through Authentication (PTA) with multiple Authentication Agents.
Pass-through Authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. It validates users' passwords directly against on-premises Active Directory in real-time. This ensures that on-premises security policies (like account lockout) are enforced immediately. Because it only uses outbound connections from lightweight agents, it doesn't require complex network infrastructure like AD FS, and it strictly meets the requirement of not syncing password hashes to the cloud. Deploying multiple agents ensures high availability.
Common mistakes
Choosing PHS because it's the most common default, ignoring the strict compliance requirement against cloud hash storage.
Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 1
55 questions · hints · full answers · grading
More questions from this exam
Q01Contoso Ltd is a global financial institution with 80 Azure subscriptions spread across 4 managem...MediumQ02Fabrikam Inc. operates a hybrid cloud environment with 500 on-premises VMware virtual machines ru...HardQ03A startup company has a single Azure subscription with a monthly budget of $5,000.
The CFO want...EasyQ04You are designing an Azure Sentinel architecture for a Managed Security Service Provider (MSSP). ...MediumQ05A healthcare enterprise is migrating its infrastructure to Azure. They have strict compliance req...Hard