Exam AZ-500 topic 2 question 4 discussion

PTA for sure as you need to enforce on prem password policies hence pass through to on prem

This is the breaking point, actually password policies is not like GPO(GPOs are only in AADDS and ADDS, no such thing like GPOs in AAD) ---- ✑ Ensures that password policies and user logon restrictions apply to user accounts that are synced to the tenant Also, we need to have less servers to manage ✑ Minimizes the number of servers required for the solution. Which authentication method should you include in the recommendation? A. federated identity with Active Directory Federation Services (AD FS) - completely not matching our requirements. B. password hash synchronization with seamless single sign-on (SSO) - this is match C. pass-through authentication with seamless single sign-on (SSO) - this is match as well. Why B is more correct? Because both authentication methods enforce password policies, but with B we do not have to manage large on prem infrastructure in order to protect sign in process. Which meets the second requirements in the question - minimize the servers required. At first I got confused as well, but in question they are talking about password policies not GPOs. Which make sense why B is the correct one.

A - too many servers B - logon restrictions etc. not synced

C. Pass-through authentication with seamless single sign-on (SSO) Minimizes Servers: PTA leverages a lightweight agent installed on a Windows Server in your on-premises network, reducing server requirements compared to AD FS. Enforces Policies: During user sign-in, PTA validates user credentials directly against your on-premises AD. This ensures that on-premises password policies and logon restrictions are applied to synchronized accounts in Azure AD.

C. password hash sync The solution is not dependent on the type of sync, so the easier to setup is hash sync Microsoft Entra Password Protection is designed with the following principles in mind: The software isn't dependent on other Microsoft Entra features. For example, Microsoft Entra password hash sync (PHS) isn't related or required for Microsoft Entra Password Protection.

Answer: C Explanation: 1. C. pass-through authentication with seamless single sign-on (SSO) 2. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method (PTA).https://learn.microsoft.com/en- us/azure/active-directory/hybrid/choose-ad-authn

C: PTA This feature is an alternative to Microsoft Entra Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta#what-is-microsoft-entra-pass-through-authentication

you can't ensures that password policies and user logon restrictions appl on hashes

Pass through is required to enforce on-prem login requirements

C can be answrer The recommended authentication method is pass-through authentication with seamless single sign-on (SSO) because it enforces on-premises password policies and user logon restrictions, ensuring consistency with Azure AD. This approach also minimizes the need for additional servers, making the solution efficient. Seamless SSO enhances the user experience by enabling single sign-on for both on-premises and cloud resources.

C is answer

C. pass-through authentication with seamless single sign-on (SSO)

Pass-through is required for logon restrictions.

PHA - does not fulfil the policy enforcement though password hashs are sync to AAD via AD Connect but still not sufficient to authenticate with on-perm AD credentials Federated with/without AD DS on-premise or brand new setup in Azure - requires mice of additional servers/VMs PTA - enables enforcement of on-prem AD policies and authentication of user accounts So I would go with PTA since its the closest possible answer.

To meet the requirements of ensuring password policies and user logon restrictions apply to user accounts synced to the Azure AD tenant while minimizing the number of servers required, the recommended authentication method is password hash synchronization with seamless single sign-on (SSO). With password hash synchronization, the password hashes from on-premises Active Directory are synchronized to Azure AD. This allows users to sign in to Azure AD using their on-premises passwords. By enabling seamless single sign-on (SSO), users can access Azure AD-integrated resources without needing to re-enter their credentials. This solution ensures that the password policies and user logon restrictions defined in the on-premises Active Directory apply to the synchronized user accounts in Azure AD. Additionally, it minimizes the infrastructure requirements as it does not require additional servers, such as Active Directory Federation Services (AD FS), for federated identity.

Pass-through authentication with Seamless Single Sign-On requires a separate agent to be installed on-premises and as a requirement it is necessary to minimize the number of servers. the correct answer is B.

C: PTA Per Microsoft KB "This feature [PTA] is an alternative to Azure AD Password Hash Synchronization, which provides the same benefit of cloud authentication to organizations. However, certain organizations wanting to enforce their on-premises Active Directory security and password policies, can choose to use Pass-through Authentication instead. " https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta