AZ-305 Designing Microsoft Azure Infrastructure Solutions Exam

Recommend an authentication solution

Authentication is the process of proving a user’s identity before granting access. Authentication protocols define how credentials are verified. Choosing the right approach depends on your environment and security needs.

Azure offers several authentication methods to connect on-premises directories to the cloud:

• Password hash synchronization lets Azure AD use a hash of the on-prem password.
• Pass-through authentication verifies passwords directly against your on-prem domain.
• Federation with AD FS uses tokens from your existing federation server.

For stronger protection, you can enforce Multi-Factor Authentication (MFA). MFA adds a second proof, such as a phone notification or a hardware token. Adding MFA dramatically reduces the risk of account compromise.

When recommending an authentication solution, consider these factors:

• User experience: balance ease of use and security.
• Security requirements: use MFA for sensitive data.
• Cost and licensing: some features may require higher Azure AD tiers.
• Compliance needs: ensure the solution meets regulatory standards.

Recommend an identity management solution

Identity management is how you create, maintain, and remove user identities. Identity providers offer login services, while Single Sign-On (SSO) lets users access multiple applications with one account. Effective identity management simplifies administration and strengthens security.

Azure Active Directory (Azure AD) is a cloud-based identity and access service. It includes features such as:

• Self-service password reset to reduce helpdesk calls.
• Azure AD B2B for external partner collaboration.
• Azure AD B2C to manage customer identities in consumer-facing apps.

To sync on-premises users, use Azure AD Connect. You can choose express settings for quick setup or custom settings for complex requirements. Planning your sync strategy ensures consistent identities across environments.

You can also apply Conditional Access policies in Azure AD. These policies evaluate signals like user location, device state, and risk level to decide if access is granted. Using Conditional Access helps enforce zero-trust principles in your organization.

Recommend a solution for authorizing access to Azure resources

Authorization determines what users can do after they sign in. Role-based Access Control (RBAC) is the primary method in Azure. RBAC assigns permissions based on roles rather than individual rights.

Azure provides built-in roles like Reader, Contributor, and Owner. You can also create custom roles to fit unique needs. Following the principle of least privilege means granting only the permissions required for a task.

Permissions in Azure are scoped at different levels:

• Management group
• Subscription
• Resource group
• Resource
  Understanding scope helps you assign roles at the right level and avoid over-permissioning.

When designing authorization, document who needs access to which resources. Use Azure Policy alongside RBAC to enforce rules, such as requiring tags or limiting VM sizes. Combining policies and RBAC gives you a more controlled environment.

Recommend a solution for authorizing access to on-premises resources

Authorizing on-premises resources often relies on Active Directory (AD) permissions and group policies. Kerberos and NTLM are the traditional authentication protocols in AD. Kerberos is preferred for its ticket-based approach and mutual authentication.

In hybrid scenarios, you can extend Azure AD into your datacenter:

• Azure AD Domain Services (AD DS) lets you join machines to a managed domain without deploying domain controllers.
• AD FS provides federation and single sign-on capabilities using on-prem resources.

To secure network traffic, use VPN or ExpressRoute connections. These options create private links between your on-prem network and Azure. Encrypting data in transit protects sensitive information from interception.

When designing on-prem authorization, ensure trust relationships between forests and domains are properly configured. Document group memberships and apply group-based access control for consistency. Maintaining clear access records helps with auditing and compliance.

Recommend a solution to manage secrets, certificates, and keys

Managing secrets, certificates, and keys centrally reduces the risk of exposure. Azure Key Vault is a cloud service that safeguards cryptographic keys and secret data. Key Vault supports:

• Secrets to store passwords or connection strings.
• Certificates for SSL/TLS and code signing.
• Keys for encryption and signing operations.

Access to Key Vault is controlled by Azure RBAC and Key Vault access policies. You can also use Managed Identities for Azure resources to access Key Vault without storing credentials. Using managed identities simplifies authentication and rotation.

For high security, use Hardware Security Modules (HSM)-backed keys in Key Vault. These keys are protected by FIPS 140-2 Level 2 or higher certification. Opting for HSM helps meet strict regulatory requirements.

Implement key rotation and secret versioning policies to limit the impact of a compromised key. Automated rotation reduces manual effort and ensures your data is always protected. Regular rotation is a best practice for strong security posture.

Conclusion

In designing authentication and authorization solutions on Azure, start by selecting the right authentication protocols to match your security and user experience needs. Use Azure AD features like MFA and Conditional Access to layer protections.

Next, choose an identity management strategy with Azure AD, B2B, or B2C, and plan your directory synchronization carefully with Azure AD Connect. For authorizing access, rely on RBAC and carefully assign roles at the proper scope to uphold the principle of least privilege.

Hybrid environments require integrating on-premises directories using Azure AD DS, AD FS, and secure connections such as VPN or ExpressRoute. Finally, centralize your secret, certificate, and key storage in Azure Key Vault, enforcing HSM-backed protection and automated key rotation. These combined practices establish a robust, scalable, and secure identity and access framework in Azure.