Exam AZ-305 topic 4 question 3 discussion

D seems to be correct. You can use Azure AD DS and sync identities needed from Azure AD to Azure AD DS to use legacy protocols like LDAP. Kerberos and NTLM

AD DS in azure on a VM would be easiest option however policy restricts access. Correct answer - D

Microsoft Entra Domain Services

D is correct

D. Azure AD Domain Services (Azure AD DS) Justification: Azure AD DS: Offers LDAP, Kerberos, and NTLM authentication without requiring a direct connection to on-premises AD, ensuring compliance with the security policy. Functionality: Allows App1 to perform LDAP queries to verify user identities using the synchronized data from Azure AD. Security: Prevents virtual machines in Subscription1 from accessing the on-premises network directly.

D is correct, App Proxy would not work & both the VPN gateway or DC in Azure IaaS would violate the requirement that virtual machines and services deployed to Subscription1 must be prevented from accessing the on-premises network.

D. Azure AD Domain Services (Azure AD DS) Azure AD Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication. It integrates with your existing Azure AD tenant, allowing you to continue using LDAP queries to verify user identities after migrating Server1 to a virtual machine in Subscription1. By using Azure AD DS, you can ensure that App1 continues to function after migration while adhering to the company security policy that prevents virtual machines and services deployed to Subscription1 from accessing the on-premises network.

D. Azure AD Domain Services (Azure AD DS)

Example here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/scenarios#azure-ad-ds-for-hybrid-organizations Azure AD Already exists and is synced with on premises AD.

D, Reason: An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud. Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.

D is correct. B is incorrect, since AAD is already in place and synced with AD on-premise.

This is the best answer. Azure AD DS was designed exactly for this type of scenario.

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client.

was in exam 1 June 2022

Correct answer - D https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs#can-i-add-domain-controllers-to-an-azure-ad-domain-services-managed-domain-

App1 requires to use LDAP queries to verify identities. I suppose the App will not modify (question doesn't refer to any changes in the App), no LDAP in AZ AD, so the only possibility is deploy an AD DS in Azure. VPN is in place. B seems to be correct, a Domain Controller in Azure