Question 1

A healthcare organization with 10,000 employees uses on-premises Active Directory. They are migrating to Microsoft 365 and Azure.

The Chief Information Security Officer (CISO) has established the following strict identity requirements:
- Users must experience Single Sign-On (SSO) when accessing cloud apps from domain-joined devices.
- Authentication must be evaluated against on-premises Active Directory security policies (e.g., account lockout, permitted logon hours) in real-time.
- Due to strict compliance regulations, user password hashes MUST NOT be synchronized to the cloud under any circumstances.
- The solution must support high availability.

Which hybrid identity authentication method should you recommend?

Accepted Answer

Eliminate PHS due to the 'no hash sync' constraint. Choose between PTA and AD FS based on modern best practices (PTA is preferred for real-time on-prem validation without the heavy infrastructure of AD FS).

Question 2

What mistakes do candidates make on this AZ-305 question?

Accepted Answer

Selecting AD FS. While technically possible, AD FS is considered legacy for this specific set of requirements and introduces unnecessary cost and complexity compared to PTA.

How to approach this question

Full Answer

Common mistakes

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 3

More questions from this exam