Skip to main content
Cert DevPro
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Hybrid Identity and API Management - Controlling Third-Party Access on Logic Apps

·649 words·4 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Azure API Management
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305 Microsoft Azure Solutions Architect Expert exam, many candidates struggle with designing secure hybrid integration solutions that respect complex identity requirements. In the enterprise world, this decision often hinges on balancing partner usability and security governance without disrupting existing deployments. Let’s drill into a simulated partner integration scenario.

The Scenario
#

Tailspin Electronics has partnered with BlueYonder Technologies. Tailspin runs multiple Azure Logic Apps triggered via HTTP requests to integrate with legacy on-premises web services. BlueYonder does not have an Azure AD tenant and relies on a third-party OAuth 2.0 provider for authentication.

Key Requirements
#

  • BlueYonder developers should have a lower request rate limit to the Logic Apps compared to Tailspin employees.
  • BlueYonder must continue using their existing third-party OAuth 2.0 identity provider; no migration to Azure AD.
  • Tailspin does not want to modify the Logic Apps themselves.
  • Using Azure AD guest accounts or B2B collaboration is not permitted.

The Options
#

  • A) Azure Front Door
  • B) Azure AD Application Proxy
  • C) Azure AD B2B (Enterprise-to-Enterprise)
  • D) Azure API Management

Correct Answer
#

D) Azure API Management

The Architect’s Analysis
#

Correct Answer
#

Option D: Azure API Management

Step-by-Step Winning Logic
#

Azure API Management (APIM) acts as a facade in front of your Logic Apps, enabling enterprise-grade controls:

  • Authentication: Integrate existing OAuth 2.0 providers via APIM’s OAuth 2.0 support without requiring Azure AD accounts.
  • Rate Limiting and Throttling: Apply policies to differentiate request quotas, allowing BlueYonder developers fewer calls than Tailspin users.
  • No Backend Changes: APIM routes traffic transparently, so Logic Apps remain unchanged.
  • Security & Governance: Enforce governance policies centrally, aligning with CAF’s security and operational excellence pillars.

This approach supports hybrid identity scenarios while respecting resource ownership boundaries.

The Traps (Distractor Analysis)
#

  • Option A - Azure Front Door: Primarily a global load balancer and CDN. It supports WAF and SSL termination but lacks granular API authentication mechanisms and rate limiting tied to OAuth 2.0 providers.
  • Option B - Azure AD Application Proxy: Designed for publishing on-premises web apps securely. It requires Azure AD authentication, conflicting with the no-Azure AD guest account requirement.
  • Option C - Azure AD B2B Collaboration: Requires inviting external users into Azure AD as guests, which is explicitly disallowed by the requirements.

The Architect Blueprint
#

Mermaid Diagram illustrating the flow of the CORRECT solution.

graph TD Developer_BlueYonder([BlueYonder Developer]) Developer_Tailspin([Tailspin Employee]) Developer_BlueYonder -->|OAuth2 tokens| APIM[Azure API Management] Developer_Tailspin -->|OAuth2 tokens| APIM[Azure API Management] APIM --> LogicApps[Azure Logic Apps] LogicApps --> OnPremService[On-Premises Web Services] style APIM fill:#0078D4,stroke:#333,color:#fff style LogicApps fill:#5C2D91,stroke:#333,color:#fff style OnPremService fill:#2D7D46,stroke:#333,color:#fff

Diagram Note: BlueYonder and Tailspin developers authenticate via their existing OAuth 2.0 provider through Azure API Management, which routes and governs requests to the Logic Apps and subsequently to on-premises services.

The Decision Matrix (Mandatory for Associate/Expert Level)
#

Option Est. Complexity Est. Monthly Cost Pros Cons
Azure Front Door Low Moderate Global routing, WAF, SSL termination No native OAuth 2.0 rate limiting or multi-tenant identity support
Azure AD Application Proxy Medium Low to Moderate Securely publishes on-prem apps with Azure AD Requires Azure AD guest accounts, no third-party OAuth support
Azure AD B2B Collaboration Medium Low Seamless guest access within Azure ecosystem Violates requirement of no Azure AD guest accounts
Azure API Management (APIM) Medium to High Moderate to High (Standard or Premium tiers recommended) OAuth 2.0 integration, fine-grained policies, rate limiting, no backend changes Higher cost and management overhead

Real-World Practitioner Insight
#

Exam Rule
#

For the exam, always pick Azure API Management when the requirements call for protecting and controlling access to APIs in a hybrid or multi-identity provider environment without changing backend services.

Real World
#

Enterprises often use APIM as a secure facade for backend Logic Apps or microservices, particularly when integrating third-party partners who manage their own identity outside Azure AD. This avoids complex cross-tenant identity federation or guest user management, maintaining tight governance and operational control.

Related Articles

Weekly Azure AZ-305 Drills: Architect Solutions

Design identity, governance, and monitoring solutions. Master Azure infrastructure and data storage.