While preparing for the AZ-305 (Azure Solutions Architect Expert), many candidates struggle with Azure AD authentication patterns and device-based access controls. In the enterprise world, this decision often hinges on balancing user experience (seamless SSO) with Zero-Trust security requirements. Let’s drill into a simulated enterprise identity scenario.
The Scenario #
Fabrikam Manufacturing is modernizing their internal application portfolio by migrating their legacy ERP system to Azure App Service. The new web application, FabrikamConnect, will serve 2,500 employees across manufacturing plants in Germany and the United States.
Current State:
- All employee workstations run Windows 10/11 and are Azure AD-joined (cloud-native identity)
- Employees currently authenticate to on-premises applications using Windows Integrated Authentication
- Security team mandates that only corporate-managed devices can access business applications
- IT wants to eliminate password fatigue and reduce helpdesk tickets related to authentication
Target State:
- Deploy FabrikamConnect as an Azure Web App with Azure AD authentication
- Users must access the application seamlessly without repeated credential prompts
- Application access must be restricted exclusively to Fabrikam-owned, compliant devices
- Solution must align with Microsoft’s Zero-Trust security model
Key Requirements #
Design an Azure AD authentication solution that satisfies both of the following requirements:
- Seamless Authentication: Users connect to FabrikamConnect without authentication prompts when accessing from their Azure AD-joined workstations
- Device Compliance Enforcement: Only Fabrikam corporate-managed devices can establish sessions to the application
The Options #
- A) Azure AD Application Registration
- B) Conditional Access Policy
- C) Azure AD Application Proxy
- D) Managed Identity
- E) Access Reviews
- F) Shared Access Signature (SAS)
Correct Answer #
B) Conditional Access Policy and A) Azure AD Application Registration
The Architect’s Analysis #
Correct Answer #
Option B (Conditional Access Policy) and Option A (Azure AD Application Registration)
Step-by-Step Winning Logic #
This solution aligns with three pillars of the Microsoft Well-Architected Framework:
1. Security (Zero-Trust Architecture)
- Azure AD Application Registration establishes the trust relationship between FabrikamConnect and Azure AD, enabling OAuth 2.0/OpenID Connect authentication flows
- The registration defines redirect URIs, token lifetimes, and API permissions—creating the identity backbone
2. Operational Excellence (Seamless SSO)
- When users sign into Windows 10/11 with Azure AD credentials, Windows acquires a Primary Refresh Token (PRT)
- This PRT enables Windows Integrated Authentication for Azure AD-integrated apps
- Result: Zero additional prompts when accessing FabrikamConnect from corporate devices
3. Security (Device Compliance Enforcement)
- Conditional Access Policy acts as the policy enforcement point
- Configuration:
- Assignment: Target the FabrikamConnect app registration
- Conditions: All users, all locations
- Grant Control: “Require device to be marked as compliant” OR “Require Hybrid Azure AD joined device”
- Only devices meeting the device compliance criteria receive access tokens
The Technical Flow:
- User navigates to
fabrikamconnect.azurewebsites.net - App Service redirects to Azure AD (using App Registration configuration)
- Azure AD validates the Windows PRT (seamless SSO)
- Conditional Access Policy evaluates device compliance state
- If compliant: Token issued, user authenticated silently
- If non-compliant: Access denied with compliance instructions
The Trap (Distractor Analysis) #
Why not C (Azure AD Application Proxy)?
- Application Proxy is designed for on-premises applications that need remote access without VPN
- FabrikamConnect is already an Azure-native App Service—no need for a reverse proxy connector
- This would add unnecessary complexity and latency (traffic would hairpin through the connector)
Why not D (Managed Identity)?
- Managed Identities authenticate Azure resources to other Azure services (e.g., App Service → Key Vault)
- They do not authenticate human users to applications
- This is a classic distractor for candidates confusing service principals with user authentication
Why not E (Access Reviews)?
- Access Reviews are a governance tool for periodic recertification of user access rights
- They do not enforce real-time authentication policies or device compliance
- Useful for quarterly audits, not for per-request access decisions
Why not F (Shared Access Signature)?
- SAS tokens are for Azure Storage account delegation (Blob, Queue, Table, File services)
- Completely unrelated to Azure AD user authentication
- Classic “wrong domain” distractor
The Architect Blueprint #
Diagram Note: The Primary Refresh Token (PRT) acquired during Windows sign-in enables seamless SSO, while Conditional Access Policy enforces device compliance before issuing the OAuth access token to the App Service.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A + B (Correct) | Medium | $6/user/month (Azure AD P1 for CA) | ✅ Seamless SSO via PRT ✅ Real-time device compliance ✅ Zero-Trust aligned ✅ No VPN required |
⚠️ Requires Azure AD P1+ licensing ⚠️ Intune enrollment for compliance |
| C (App Proxy) | High | $0 (included) + VM costs for connector | ✅ Good for on-prem apps ✅ Pre-authentication |
❌ Unnecessary for Azure-native apps ❌ Adds latency (connector hop) ❌ Doesn’t enforce device compliance |
| D (Managed Identity) | Low | $0 | ✅ Excellent for service-to-service auth | ❌ Cannot authenticate human users ❌ Wrong use case entirely |
| E (Access Reviews) | Low | Included in Azure AD P2 | ✅ Good for periodic governance | ❌ Not real-time enforcement ❌ Doesn’t provide SSO |
| F (SAS Token) | Low | $0 | ✅ Great for Storage delegation | ❌ Storage-only construct ❌ Not for user authentication |
Cost Breakdown:
- Azure AD Free: Insufficient (no Conditional Access)
- Azure AD Premium P1: $6/user/month (required for CA policies)
- Azure AD Premium P2: $9/user/month (adds PIM, Access Reviews, Identity Protection)
- Recommendation: P1 for production, P2 if risk-based CA policies are needed
Real-World Practitioner Insight #
Exam Rule #
“For the AZ-305 exam, when you see ‘seamless authentication’ + ‘device restriction’, always combine Azure AD App Registration (establishes identity integration) with Conditional Access Policy (enforces device compliance).”
Keyword Detection:
- “Without prompts” → Seamless SSO (requires PRT from Azure AD-joined device)
- “Only corporate devices” → Conditional Access device filter
- “Azure AD authentication” → App Registration required
Real World #
“In reality, Fabrikam would also implement:
- Intune Device Compliance Policies: Define what ‘compliant’ means (OS version, BitLocker enabled, antivirus status)
- Conditional Access Staged Rollout: Start with ‘Report-only’ mode to identify non-compliant devices before enforcing
- Named Locations: Exclude on-premises IP ranges from MFA challenges (corporate network trust)
- Break-glass Accounts: Emergency access accounts exempted from CA policies
Additionally, for highly sensitive apps (e.g., financial systems), we’d add:
- Risk-based Conditional Access (Azure AD Identity Protection) to block sign-ins from anomalous locations
- App Protection Policies (Intune MAM) to prevent copy/paste of sensitive data
- Session controls to enforce limited session lifetime (e.g., 4-hour reauthentication)
The exam focuses on the minimum viable solution, but production deployments layer multiple controls for defense-in-depth.”