Skip to main content
  1. Home
  2. >
  3. Azure
  4. >
  5. AZ-305
  6. >
  7. This article

Azure AZ-305 Drill: Hybrid Identity & Secure Access - Seamless SSO to On-Premises Apps

·751 words·4 mins·
Architecture Drills Microsoft Azure AZ-305 Azure CAF Governance Hybrid Identity Azure AD Application Proxy
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with implementing secure remote access to legacy app workloads integrated with on-premises Active Directory. In the enterprise world, this decision often hinges on balancing seamless Single Sign-On (SSO) for users working remotely without VPN access, while maintaining strict security governance and compliance within a hybrid environment. Let’s drill into a simulated hybrid identity scenario.

The Scenario
#

Northwind Logistics is a global supply chain company with an on-premises Active Directory environment and a legacy internal web application (WebPortal1) that uses Integrated Windows Authentication (IWA). The application is hosted on premises behind their corporate firewall. Many users currently access the app seamlessly via VPN. However, an increasing number of remote employees are often working without VPN access due to performance limitations and increasing regional offices.

The IT team wants to enable these remote users to access WebPortal1 via Single Sign-On without requiring VPN, while maintaining on-premises authentication and adhering to corporate security policies aligned with the Microsoft Cloud Adoption Framework. The environment is synchronized with Azure AD (using Azure AD Connect) and device compliance is managed via Intune.

Key Requirements
#

Provide remote users seamless, secure SSO access to the on-premises internal web application (WebPortal1) without requiring VPN. The solution must:

  • Integrate with on-premises Active Directory authentication.
  • Support Conditional Access policies for user device compliance and location.
  • Avoid exposing the internal app directly to the internet.

The Options
#

  • A) Azure AD Application Proxy
  • B) Azure AD Privileged Identity Management (PIM)
  • C) Conditional Access Policy
  • D) Azure Arc
  • E) Azure AD Enterprise Application
  • F) Azure Application Gateway

Correct Answer
#

A) Azure AD Application Proxy
C) Conditional Access Policy

The Architect’s Analysis
#

Correct Answer
#

Option A (Azure AD Application Proxy) and Option C (Conditional Access Policy).

Step-by-Step Winning Logic
#

Azure AD Application Proxy provides a secure, scalable solution for publishing on-premises web apps without VPN, maintaining integrated Windows authentication via Kerberos Constrained Delegation. This aligns with the Security and Operational Excellence pillars in the Well-Architected Framework by minimizing attack surface and simplifying user access.

Conditional Access protects access with policies that enforce compliant device scenarios and multi-factor authentication, supporting risk mitigation and governance objectives per the Cloud Adoption Framework.

The Traps (Distractor Analysis)
#

Why not Azure AD PIM (B)?:
#

PIM manages privileged identity lifecycles, unrelated to user access to legacy web apps.

Why not Azure Arc (D)?:
#

Azure Arc is for hybrid management of servers and Kubernetes, not direct user access or identity.

Why not Enterprise Application (E)?:
#

This is a registration artifact in Azure AD; by itself it doesn’t solve secure remote access or SSO.

Why not Application Gateway (F)?:
#

App Gateway is a reverse proxy/load balancer but lacks the integrated identity and conditional access controls needed for seamless SSO with on-prem AD.

The Architect Blueprint
#

graph TD RemoteUser(["Remote User"]) -->|HTTPS Request| AzureADProxy["Azure AD Application Proxy"] AzureADProxy --> OnPremApp["On-premises WebPortal1"] AzureADProxy --> AzureAD["Azure Active Directory"] AzureADProxy --> ConditionalAccess["Conditional Access Evaluation"] OnPremApp --> AD["On-Premises Active Directory"] style AzureADProxy fill:#0078D4,stroke:#333,color:#fff style AzureAD fill:#5C2D91,stroke:#333,color:#fff style OnPremApp fill:#2D7D9A,stroke:#333,color:#fff style ConditionalAccess fill:#68217A,stroke:#333,color:#fff
  • Diagram Note: Remote users authenticate against Azure AD, pass Conditional Access policies, and securely access the on-premises web app via Azure AD Application Proxy without a VPN.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost Pros Cons
Azure AD Application Proxy (A) Moderate Low Enables secure remote access, hybrid identity support, integrates with on-prem AD, minimal infra changes Requires Azure AD Premium P1 license, on-premises connector installation
Conditional Access (C) Low Included in P1/P2 Strong governance, conditional policies based on device/user risk, MFA enforcement Needs ongoing policy tuning, user education necessary
Azure AD Privileged Identity Mgmt (B) High Moderate Privileged identity governance Unrelated to user remote access
Azure Arc (D) High Variable Hybrid management for VMs & Kubernetes No user access enablement
Enterprise Application (E) Low N/A App registration constructs Does not provide access or security controls alone
Azure Application Gateway (F) Moderate Moderate to High Application-layer load balancing and WAF No integrated AD or Conditional Access, VPN still required for IWA

Real-World Practitioner Insight
#

Exam Rule
#

“For the exam, always pick Azure AD Application Proxy when a scenario involves secure remote access to on-premises apps using integrated authentication without VPN.”

Real World
#

“In production, many enterprises combine Azure AD Application Proxy with Conditional Access policies tied to Intune device compliance and MFA, ensuring secure, seamless access for remote employees globally, even when VPN is impractical.”

The DevPro Network: Mission and Founder

A 21-Year Tech Leadership Journey

Jeff Taakey has driven complex systems for over two decades, serving in pivotal roles as an Architect, Technical Director, and startup Co-founder/CTO.

He holds both an MBA degree and a Computer Science Master's degree from an English-speaking university in Hong Kong. His expertise is further backed by multiple international certifications including TOGAF, PMP, ITIL, and AWS SAA.

His experience spans diverse sectors and includes leading large, multidisciplinary teams (up to 86 people). He has also served as a Development Team Lead while cooperating with global teams spanning North America, Europe, and Asia-Pacific. He has spearheaded the design of an industry cloud platform. This work was often conducted within global Fortune 500 environments like IBM, Citi and Panasonic.

Following a recent Master’s degree from an English-speaking university in Hong Kong, he launched this platform to share advanced, practical technical knowledge with the global developer community.


About This Site: CertDevPro.com

CertDevPro.com is the flagship hub of Stonehenge Digital Education. We bridge the gap between passing exams and leading high-stakes enterprise projects. Curated by 21-year industry veteran Jeff Taakey, this platform provides strategic blueprints across AWS, Azure, and Google Cloud to solve core business and technical pain points for architects worldwide.


Disclaimer: This is a study note based on simulated scenarios for the GCP ACE exam. It is not an official question from Google Cloud.