ExpertHard1 markMultiple Choice
AZ-305 · Question 05 · Domain 1.2: Authentication and Authorization
A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently use an on-premises Active Directory Domain Services (AD DS) forest.
The Chief Security Officer (CSO) mandates the following strict requirements:
- User passwords or password hashes MUST NOT be synchronized to the cloud under any circumstances.
- Users must experience Single Sign-On (SSO) from their domain-joined corporate devices.
- If the on-premises internet connection fails, users must not be able to authenticate to cloud services.
- The solution must not require inbound ports to be opened on the corporate firewall.
Which hybrid identity solution should you design?
A highly regulated financial institution is migrating to Microsoft 365 and Azure. They currently use an on-premises Active Directory Domain Services (AD DS) forest.
The Chief Security Officer (CSO) mandates the following strict requirements:
- User passwords or password hashes MUST NOT be synchronized to the cloud under any circumstances.
- Users must experience Single Sign-On (SSO) from their domain-joined corporate devices.
- If the on-premises internet connection fails, users must not be able to authenticate to cloud services.
- The solution must not require inbound ports to be opened on the corporate firewall.
Which hybrid identity solution should you design?
Answer options:
A.
Password Hash Synchronization (PHS) with Seamless SSO
B.
Active Directory Federation Services (AD FS)
C.
Pass-through Authentication (PTA) with Seamless SSO
D.
Azure AD Domain Services (Azure AD DS)
How to approach this question
Evaluate the constraints: No password hashes in cloud eliminates PHS. No inbound ports heavily discourages AD FS. PTA uses outbound agents and validates against on-prem AD.
Full Answer
C.Pass-through Authentication (PTA) with Seamless SSO✓ Correct
Pass-through Authentication (PTA) with Seamless SSO
Pass-through Authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. It validates users' passwords directly against on-premises Active Directory. It does not sync password hashes to Entra ID. The PTA agents only require outbound ports (443). Because authentication happens on-premises, if the connection drops, cloud authentication fails, meeting all the CSO's strict requirements.
Common mistakes
Choosing AD FS. While AD FS keeps authentication on-premises, it requires complex infrastructure and inbound connectivity to the WAP servers, violating the firewall requirement.
Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 5
55 questions · hints · full answers · grading
More questions from this exam
Q01Contoso Ltd has 50 subscriptions across 3 business units. Each business unit manages its own IT o...EasyQ02You are designing a monitoring solution for a hybrid environment. The environment consists of 200...MediumQ03Your company uses Microsoft Sentinel integrated with a Log Analytics workspace. The workspace ing...HardQ04You are designing an application monitoring strategy using Application Insights. The application ...MediumQ06Your organization uses Microsoft Entra ID Premium P2. You are designing a Conditional Access stra...Medium