Design for cloud/hybrid identity

Thought experiment answer

This section contains the solution to the thought experiment. Each answer explains why the answer choice is correct.

1. One of the company’s requirements is to reduce the use of on-premises servers. A federated identity would go against that requirement because you would need to add Web Application Proxy servers in the perimeter network and AD FS servers on the internal network. Instead, you should use synced identities. You can install Azure AD Connect on an existing server. Or, you could deploy a single new server for Azure AD Connect, which meets the requirement of minimizing the use of on-premises servers.
2. You should introduce Azure MFA to reduce the impacts felt by compromised usernames and passwords. With Azure MFA, even if usernames and passwords become compromised, attackers wouldn’t be able to sign into applications that are configured with multi-factor authentication. And at first attempt, users would be notified to authenticate by Azure MFA, which works as a monitor and alarm when something is amiss.
3. You should implement the Azure Access Panel along with SSO. With Azure Access Panel, you can enable self-service features such as password reset, profile management, and group management. By offloading some user management tasks to users, you reduce the administrative overhead for your IT teams.
4. To improve the user experience regarding managing multiple credentials, you should integrate applications with Azure AD and configure SSO. Then, you should have users add the applications to their Access Panel page. Thereafter, users can go to applications from their Access Panel page without having to authenticate or remember different usernames and passwords. Their company AD DS credentials would effectively give them access to all of the integrated applications.