Azure Identity Solution for Technical Requirements | Contoso Case Study

Azure Identity Solution

Question

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an

All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -

Contoso, Ltd. is a manufacturing company that has offices worldwide. Contoso works with partner organizations to bring products to market.

Contoso products are manufactured by using blueprint files that the company authors and maintains.

Existing Environment -

Currently, Contoso uses multiple types of servers for business operations, including the following:

File servers

Domain controllers

Microsoft SQL Server servers

Your network contains an Active Directory forest named contoso.com. All servers and client computers are joined to Active Directory.

You have a public-facing application named App1. App1 is comprised of the following three tiers:

A SQL database

A web front end

A processing middle tier

Each tier is comprised of five virtual machines. Users access the web front end by using HTTPS only.

Requirements -

Planned Changes -

Contoso plans to implement the following changes to the infrastructure:

Move all the tiers of App1 to Azure.

Move the existing product blueprint files to Azure Blob storage.

Create a hybrid directory to support an upcoming Microsoft Office 365 migration project.

Technical Requirements -

Contoso must meet the following technical requirements:

Move all the virtual machines for App1 to Azure.

Minimize the number of open ports between the App1 tiers.

Ensure that all the virtual machines for App1 are protected by backups.

Copy the blueprint files to Azure over the Internet.

Ensure that the blueprint files are stored in the archive storage tier.

Ensure that partner access to the blueprint files is secured and temporary.

Prevent user passwords or hashes of passwords from being stored in Azure.

Use unmanaged standard storage for the hard disks of the virtual machines.

Ensure that when users join devices to Azure Active Directory (Azure AD), the users use a mobile phone to verify their identity.

Minimize administrative effort whenever possible.

User Requirements -

Contoso identifies the following requirements for users:

Ensure that only users who are part of a group named Pilot can join devices to Azure AD.

Designate a new user named Admin1 as the service administrator of the Azure subscription.

Admin1 must receive email alerts regarding service outages.

Ensure that a new user named User3 can create network objects for the Azure subscription.

You need to recommend an identify solution that meets the technical requirements.

What should you recommend?

Introductory Info

Question

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D

Azure Active Directory (Azure AD) Pass-through Authentication allows users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory. On-premises passwords are never stored in the cloud in any form.

Scenario: Technical Requirements include:

Prevent user passwords or hashes of passwords from being stored in Azure.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta

Based on the technical requirements, the recommended identity solution should allow for mobile phone verification for Azure AD device join, prevent user password or password hash storage in Azure, and minimize administrative effort.

Option A, federated single sign-on (SSO) and Active Directory Federation Services (AD FS), is a possible solution for identity management, but it requires additional infrastructure, such as AD FS servers, and may not be the most efficient solution for the technical requirements specified.

Option B, password hash synchronization and single sign-on (SSO), is a simpler solution that synchronizes user passwords from on-premises Active Directory to Azure AD and allows for SSO to Azure resources. This option meets the requirement to prevent user password or password hash storage in Azure, as the password hashes are only stored on-premises. It also supports mobile phone verification for Azure AD device join and minimizes administrative effort.

Option C, cloud-only user accounts, is not a viable solution for this scenario as Contoso already has an existing on-premises Active Directory forest and requires a hybrid directory for the upcoming Office 365 migration project.

Option D, Pass-through Authentication and single sign-on (SSO), is a solution that allows for password validation against on-premises Active Directory and provides SSO to Azure resources. However, it may not meet the requirement to prevent user password or password hash storage in Azure, as password validation occurs on-premises.

Therefore, based on the technical requirements specified, the recommended identity solution is option B, password hash synchronization and single sign-on (SSO).