AZ-305 - Design Authentication
1. Azure Active Directory Overview
Azure Active Directory (now Microsoft Entra ID) is the cloud-based identity and access management service at the heart of Azure security. It provides identity services for applications, supports single sign-on (SSO), and acts as the identity provider for Azure resource management and thousands of SaaS applications.
Core Capabilities
Azure AD as Identity Provider
Azure AD acts as a centralized identity provider supporting modern authentication protocols including OAuth 2.0, OpenID Connect, and SAML 2.0. It handles authentication for Azure portal, Microsoft 365, and custom applications. A single Azure AD tenant can serve as the identity source for all applications in your organization.
Creating a New Azure AD Tenant
A new Azure AD tenant can be created for scenarios such as organizational separation, testing environments, or managing external identities. Each tenant is a dedicated, isolated instance of Azure AD. When you create a new tenant, you become the first user and Global Administrator. You can choose between a Workforce tenant (for employees) or an External tenant (for customers and partners).
Tenant vs Subscription Relationship
An Azure AD tenant can be associated with multiple Azure subscriptions, but each subscription trusts exactly one tenant for identity. Changing the tenant associated with a subscription removes all RBAC role assignments. Multiple subscriptions can share the same tenant, enabling centralized identity management across environments.
Azure AD Editions
| Feature | Free | P1 | P2 |
|---|---|---|---|
| User and group management | Yes | Yes | Yes |
| SSO (limit: 10 apps per user for Free) | Limited | Unlimited | Unlimited |
| Multi-Factor Authentication | Security defaults | Conditional Access | Conditional Access |
| Self-Service Password Reset | Cloud users only | Cloud + on-premises writeback | Cloud + on-premises writeback |
| Conditional Access | No | Yes | Yes |
| Identity Protection | No | No | Yes |
| Privileged Identity Management | No | No | Yes |
2. Multi-Factor Authentication (MFA)
MFA is a process where a user is prompted for additional forms of identification during sign-in. It dramatically reduces the risk of compromised accounts by requiring two or more verification methods from different categories: something you know, something you have, and something you are.
MFA Methods
Verification Methods
Microsoft Authenticator app - Push notification or time-based one-time passcode (TOTP). FIDO2 security keys - Hardware-based passwordless authentication. Windows Hello for Business - Biometric or PIN tied to a device. SMS and Voice call - Legacy methods being phased out in favor of stronger options. Certificate-based authentication - X.509 certificate on a smart card or device.
Security Defaults vs Conditional Access
| Feature | Security Defaults | Conditional Access |
|---|---|---|
| Cost | Free (included with all tiers) | Requires Azure AD P1 or higher |
| Customization | None (all-or-nothing) | Highly granular policies |
| MFA Requirement | All users must register; MFA on risky sign-ins | Per-policy based on conditions |
| Legacy Auth | Blocked entirely | Blocked per policy (configurable) |
| Best For | Small organizations wanting baseline protection | Organizations needing tailored access policies |
Passwordless Authentication
Passwordless Options
Passwordless authentication eliminates the password entirely, replacing it with something you have plus something you are or know. Azure AD supports three passwordless methods: Windows Hello for Business (ideal for dedicated Windows PCs), FIDO2 security keys (ideal for shared machines or high-security scenarios), and Microsoft Authenticator app phone sign-in (ideal for mobile workforce). Passwordless is more secure and provides a better user experience.
3. AD Synchronization
Most organizations have identity data in on-premises Active Directory Domain Services (AD DS) that needs to be synchronized to Azure AD. Synchronization ensures users can access both on-premises and cloud resources with a single identity.
Azure AD Connect
Azure AD Connect
Azure AD Connect is the on-premises tool that synchronizes identities between on-premises AD DS and Azure AD. It supports three authentication methods: Password Hash Synchronization (PHS) - syncs a hash of the password hash to Azure AD; Pass-through Authentication (PTA) - validates passwords directly against on-premises AD; Federation (AD FS) - delegates authentication entirely to on-premises federation servers.
Authentication Methods Comparison
| Method | Where Auth Happens | Infrastructure | Key Benefit |
|---|---|---|---|
| Password Hash Sync (PHS) | Azure AD | Minimal (Azure AD Connect only) | Simplest; works even if on-premises is down |
| Pass-through Auth (PTA) | On-premises AD | Requires PTA agents on-premises | Passwords never stored in cloud |
| Federation (AD FS) | On-premises federation server | Requires AD FS infrastructure | Advanced claims rules and third-party MFA |
Azure AD Connect Cloud Sync
Cloud Sync vs Azure AD Connect
Azure AD Connect Cloud Sync is a lightweight alternative to Azure AD Connect. It uses Azure AD cloud provisioning agents instead of a full on-premises sync engine. Cloud Sync advantages: supports multi-forest disconnected scenarios, lightweight agent installation, high availability with multiple agents, and management from the Azure portal. Limitation: Cloud Sync does not yet support device writeback, group writeback, or custom attribute filtering with the same depth as Azure AD Connect.
4. Protecting Authentication
Protecting the authentication process involves multiple layers of defense to detect and prevent identity-based attacks such as password spray, brute force, phishing, and token theft.
Conditional Access Policies
Conditional Access
Conditional Access is the Azure AD policy engine that brings signals together to make access decisions. Policies evaluate signals such as user/group membership, IP location, device platform/state, application being accessed, and real-time risk level. Based on these signals, policies can: Allow access, Block access, or Grant access with conditions (require MFA, require compliant device, require approved client app).
Identity Protection
Azure AD Identity Protection (requires P2) uses machine learning to detect risky sign-ins and users. It detects risks such as anonymous IP usage, atypical travel, malware-linked IP, unfamiliar sign-in properties, and leaked credentials. Risk policies can automatically enforce MFA or block access based on risk level (low, medium, high).
Smart Lockout
Azure AD Smart Lockout helps lock out bad actors trying to guess user passwords while allowing legitimate users to access their accounts. It uses intelligent algorithms to distinguish between sign-in attempts from legitimate users and sign-in attempts from attackers. Lockout is based on the familiar location concept - sign-ins from familiar locations have a different lockout threshold than unfamiliar ones.
5. Self-Service Password Reset (SSPR)
SSPR allows users to reset their own passwords without contacting helpdesk administrators. This reduces support costs and improves user productivity while maintaining security through verification methods.
SSPR Configuration
SSPR Requirements
SSPR requires Azure AD Premium P1 or P2 for on-premises password writeback. For cloud-only users, Free tier supports SSPR. Configuration includes: enabling SSPR for all users or selected groups, requiring one or two authentication methods for reset, selecting allowed methods (mobile app notification, mobile app code, email, mobile phone, office phone, security questions), and enabling password writeback for hybrid environments.
SSPR Authentication Methods
Available SSPR Methods
Mobile app notification - Push to Microsoft Authenticator. Mobile app code - TOTP from authenticator app. Email - Code sent to alternate email. Mobile phone - SMS code. Office phone - Voice call. Security questions - Predefined or custom questions (not recommended as sole method for high-security scenarios). You can require 1 or 2 methods for reset.
Password Writeback
Password writeback is a feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to the on-premises directory in real time. This is essential for hybrid environments where users need a consistent password experience. It supports SSPR, admin password resets, and Azure AD password change. It uses a secure outbound connection and does not require any inbound firewall rules.
Key Terms
| Term | Definition |
|---|---|
| Azure AD (Entra ID) | Cloud-based identity and access management service providing authentication and authorization. |
| MFA | Multi-Factor Authentication requiring two or more verification methods from different categories. |
| PHS | Password Hash Synchronization - syncs a hash of password hashes from on-premises AD to Azure AD. |
| PTA | Pass-through Authentication - validates passwords against on-premises AD without storing them in the cloud. |
| Azure AD Connect | On-premises tool that synchronizes identities between AD DS and Azure AD. |
| Cloud Sync | Lightweight Azure AD synchronization using cloud provisioning agents for multi-forest and disconnected scenarios. |
| SSPR | Self-Service Password Reset allowing users to reset passwords without administrator assistance. |
| Conditional Access | Policy engine that enforces access decisions based on identity signals, location, device, and risk. |
Exam Tips
- Know the three authentication methods: PHS is simplest and most resilient. PTA keeps passwords on-premises. Federation provides the most control with claims rules. PHS is recommended as a backup even when using PTA or Federation.
- Conditional Access requires P1: Security defaults are free and provide baseline protection. For granular policies (per-app, per-user, location-based), you need Conditional Access with Azure AD P1.
- Identity Protection requires P2: Risk-based policies that automatically detect and respond to risky sign-ins and risky users require Azure AD P2.
- SSPR with writeback requires P1 and Azure AD Connect: Cloud-only SSPR works with Free tier, but writing passwords back to on-premises AD requires P1 plus Azure AD Connect configured with password writeback.
- Passwordless is the strategy going forward: FIDO2 keys for shared/high-security, Windows Hello for dedicated PCs, Authenticator app for mobile users.
- Cloud Sync vs Azure AD Connect: Cloud Sync is lighter, supports multi-forest, and is managed from the portal. Azure AD Connect is still needed for advanced scenarios like device writeback and custom sync rules.
Practice Questions
Question 1
Your organization has an on-premises Active Directory with 10,000 users and requires that passwords are never stored in Azure AD. Users must authenticate against on-premises AD. Which authentication method should you select?
A. Password Hash Synchronization (PHS)
B. Pass-through Authentication (PTA)
C. Federation with AD FS
D. Cloud-only authentication
Answer: B
Pass-through Authentication validates passwords directly against on-premises AD. Passwords are never stored or processed in the cloud. PHS would store password hashes in Azure AD. While Federation also validates on-premises, PTA is simpler and meets the requirement without AD FS infrastructure.
Question 2
You need to implement MFA for all users with the ability to exclude specific trusted IP ranges and require MFA only for specific applications. Which approach should you use?
A. Enable Security Defaults for the tenant
B. Configure per-user MFA settings in the legacy portal
C. Create Conditional Access policies with MFA requirements
D. Enable Microsoft Authenticator registration for all users
Answer: C
Conditional Access provides granular control to define policies based on conditions such as IP location (named locations), application, user group, device state, and risk. Security Defaults is all-or-nothing and cannot exclude trusted IPs or target specific applications.
Question 3
Your organization has multiple disconnected Active Directory forests with no trust relationships. You need to synchronize all forests to a single Azure AD tenant. What should you use?
A. Azure AD Connect with a single instance
B. Azure AD Connect with multiple instances (one per forest)
C. Azure AD Connect Cloud Sync with agents in each forest
D. Manual user provisioning via Azure AD Graph API
Answer: C
Azure AD Connect Cloud Sync is designed for multi-forest disconnected scenarios. Lightweight provisioning agents are installed in each forest instead of a full sync engine. Azure AD Connect has limitations with multiple disconnected forests and typically requires more complex configurations.
Question 4
Users in your hybrid environment need to reset their passwords from the Azure AD sign-in page, and the change must reflect immediately in on-premises AD. What must you configure?
A. SSPR enabled in Azure AD only
B. SSPR with password writeback enabled in Azure AD Connect
C. Azure AD Connect with PHS and SSPR
D. On-premises AD password reset service
Answer: B
For password changes in the cloud to be written back to on-premises AD, you must enable password writeback in Azure AD Connect. Combined with SSPR configuration in Azure AD, this allows users to reset their passwords from the cloud portal with immediate synchronization to on-premises. Requires Azure AD P1.
Question 5
You want to detect and block sign-ins from users whose credentials have been leaked, and automatically require password changes for high-risk users. What should you implement?
A. Conditional Access policies with device compliance
B. Azure AD Identity Protection with user risk and sign-in risk policies
C. Security Defaults with MFA enabled
D. Smart Lockout with custom lockout thresholds
Answer: B
Azure AD Identity Protection (requires P2) uses machine learning to detect leaked credentials and risky sign-in behaviors. User risk polices can automatically force password changes when a user is flagged as high risk. Sign-in risk policies can require MFA or block access for risky sign-ins.
AZ-305 Designing Azure Infrastructure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.