While preparing for the Azure AZ-305 exam, many architects wrestle with designing seamless and secure remote access for legacy on-premises web apps integrated in hybrid identity environments. In enterprises, the challenge often revolves around balancing user experience with robust security — especially when enabling Azure AD and MFA for internal apps exposed to external users. Let’s drill into a simulated hybrid access scenario and apply Microsoft’s Cloud Adoption Framework (CAF) security and governance principles.
The Scenario #
Tailspin Manufacturing operates a legacy ASP.NET application (“AppSuite”) hosted on an on-premises server (ServerAlpha). Tailspin has an Azure AD Hybrid Identity deployment syncing on-premises AD to Azure AD. They want to enable employees and external users to securely access AppSuite from the internet using their Azure AD credentials and enforce Azure Multi-Factor Authentication (MFA).
Legacy network constraints prevent moving the app workload to Azure immediately, so Tailspin must keep AppSuite on-premises and integrate hybrid access controls and identity protection without changing the code.
Key Requirements #
Recommend the correct sequence of three Azure AD and security features Tailspin should deploy to provide secure external access that enforces Azure AD login and MFA for AppSuite.
The Options #
- A) Azure AD Application Proxy
- B) Azure AD Enterprise Application
- C) Conditional Access Policy
- D) Azure AD Identity Protection
- E) Managed Identity
- F) Access Review
Correct Answer #
A) Azure AD Application Proxy
B) Azure AD Enterprise Application
C) Conditional Access Policy
The Architect’s Analysis #
Correct Answer #
Options A, B, C
Step-by-Step Winning Logic #
-
Azure AD Application Proxy enables secure, seamless remote access to on-premises web applications without exposing the corporate network or needing to open inbound firewall ports. It acts as a reverse proxy, integrating on-prem apps with Azure AD’s modern authentication.
-
Azure AD Enterprise Application registration provides a service principal representation of AppSuite in Azure AD, enabling management of access, SSO configuration, and assignment of users/groups. This represents the app in the Azure AD tenant for authentication and authorization.
-
Conditional Access Policy enforces MFA during login and controls access conditions such as user location or device compliance, protecting against unauthorized access risks and securing hybrid access end-to-end.
This combination adheres closely to the Security and Operational Excellence pillars of the Microsoft Well-Architected Framework, enabling centralized identity governance, conditional access enforcement, and simplified operational management without rehosting.
The Traps (Distractor Analysis) #
-
Option D - Azure AD Identity Protection: Primarily provides risk detection and user risk remediation, but does not facilitate the initial proxy access or MFA enforcement on its own.
-
Option E - Managed Identity: A service-managed identity mostly used for accessing Azure resources securely; irrelevant for user access to legacy on-premises apps.
-
Option F - Access Review: Useful for periodic entitlement governance but does not enforce authentication or proxy access.
The Architect Blueprint #
Mermaid Diagram illustrating the secure hybrid app access flow:
Diagram Note: Users authenticate with Azure AD and MFA before their access request is proxied securely by Azure AD Application Proxy to the on-premises AppSuite.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| Azure AD Application Proxy | Medium | Low to Moderate (incl. Azure AD Premium P1 license required for Conditional Access) | Enables seamless hybrid access without VPN or firewall changes; integrates with Azure AD MFA | Requires Azure AD Premium P1 or higher; dependent on network connectivity between proxy and on-prem app |
| Azure AD Enterprise Application | Low | Included with Azure AD | Centralized app management and SSO configuration | Requires correct app registration and permissions setup |
| Conditional Access Policy | Medium | Included with Azure AD Premium P1 | Enforces MFA based on risk and conditions; improves security posture | Complex policy design may inadvertently block legitimate users if misconfigured |
| Azure AD Identity Protection | High | Additional cost | Adds risk detection and user risk remediation | Not directly related to proxy access or MFA enforcement |
| Managed Identity | Low | No extra cost | Useful for Azure resource access by apps | Not applicable for user authentication to legacy apps |
| Access Review | Medium | Included with Azure AD P2 | Useful for entitlement review | Does not affect user login or access enforcement |
Real-World Practitioner Insight #
Exam Rule #
For AZ-305, when you need to securely expose on-premises web applications to external users with Azure AD authentication and MFA, always prioritize Azure AD Application Proxy paired with Conditional Access policies.
Real World #
Tailspin Manufacturing’s approach enables phased hybrid modernization. Without costly infrastructure rework or tunnel setups, deploying Azure AD Application Proxy provides secure internet access leveraging existing identity investments while deferring full app migration to the cloud.