ExpertHard1 markMultiple Choice
Domain 1.2: Authentication and AuthorizationDomain 1Authentication and AuthorizationHybrid IdentityPTA
AZ-305 · Question 05 · Domain 1.2: Authentication and Authorization
A healthcare organization with 10,000 employees uses on-premises Active Directory. They are migrating to Microsoft 365 and Azure.
The Chief Information Security Officer (CISO) has established the following strict identity requirements:
- Users must experience Single Sign-On (SSO) when accessing cloud apps from domain-joined devices.
- Authentication must be evaluated against on-premises Active Directory security policies (e.g., account lockout, permitted logon hours) in real-time.
- Due to strict compliance regulations, user password hashes MUST NOT be synchronized to the cloud under any circumstances.
- The solution must support high availability.
Which hybrid identity authentication method should you recommend?
A healthcare organization with 10,000 employees uses on-premises Active Directory. They are migrating to Microsoft 365 and Azure.
The Chief Information Security Officer (CISO) has established the following strict identity requirements:
- Users must experience Single Sign-On (SSO) when accessing cloud apps from domain-joined devices.
- Authentication must be evaluated against on-premises Active Directory security policies (e.g., account lockout, permitted logon hours) in real-time.
- Due to strict compliance regulations, user password hashes MUST NOT be synchronized to the cloud under any circumstances.
- The solution must support high availability.
Which hybrid identity authentication method should you recommend?
Answer options:
A.
Password Hash Synchronization (PHS) with Seamless SSO
B.
Pass-through Authentication (PTA) with Seamless SSO
C.
Active Directory Federation Services (AD FS)
D.
Azure AD Domain Services (Azure AD DS)
How to approach this question
Eliminate PHS due to the 'no hash sync' constraint. Choose between PTA and AD FS based on modern best practices (PTA is preferred for real-time on-prem validation without the heavy infrastructure of AD FS).
Full Answer
B.Pass-through Authentication (PTA) with Seamless SSO✓ Correct
Pass-through Authentication (PTA) allows users to sign in to both on-premises and cloud-based applications using the same passwords. It validates users' passwords directly against on-premises Active Directory in real-time. This ensures that on-premises security policies (like logon hours) are enforced immediately. Because it only requires lightweight agents, it is highly available and avoids the complex infrastructure required by AD FS. Crucially, it does not require syncing password hashes to Azure AD.
Common mistakes
Selecting AD FS. While technically possible, AD FS is considered legacy for this specific set of requirements and introduces unnecessary cost and complexity compared to PTA.
Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 3
55 questions · hints · full answers · grading
More questions from this exam
Q01Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They cur...MediumQ02Fabrikam Inc. is a Managed Service Provider (MSP) managing Azure environments for 50 different en...HardQ03A financial institution generates 5 TB of telemetry and audit logs daily across its Azure environ...MediumQ04A retail company has recently migrated several workloads to Azure. The IT Director wants a centra...EasyQ06An enterprise company is implementing a Zero Trust security model for its Azure environment and M...Medium