While preparing for the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with selecting the right single sign-on (SSO) method for legacy applications during identity modernization projects. In the enterprise world, this decision often hinges on balancing ease of integration, security posture, and compatibility with Azure Active Directory capabilities. Let’s drill into a simulated enterprise migration scenario.
The Scenario #
Tailwind Manufacturing is a traditional enterprise with a legacy HR vacation request application used by approximately 6,000 employees worldwide. The application currently manages its own user credential store and requires users to enter usernames and passwords manually鈥攖here is no integration with any identity provider. The company is embarking on a cloud transformation journey aligned with the Microsoft Cloud Adoption Framework, aiming to modernize authentication by upgrading the application to support Azure Active Directory-based single sign-on (SSO).
The IT team plans to register the application in Azure AD and enable SSO capabilities to improve security, reduce password fatigue, and centralize identity governance. The application does not currently support modern authentication protocols natively.
Key Requirements #
Identify the best SSO method to enable Azure AD authentication for this legacy application without rewriting the application to support SAML or OpenID Connect protocols, while ensuring seamless user sign-in experience.
The Options #
- A) Header-based authentication
- B) SAML (Security Assertion Markup Language)
- C) Password-based SSO
- D) OpenID Connect (OIDC)
Correct Answer #
C) Password-based SSO.
Step-by-Step Winning Logic #
Password-based SSO in Azure AD Application Proxy or Azure AD SSO allows enterprises to integrate legacy applications that do not understand federation protocols like SAML or OpenID Connect by securely handling user credentials behind the scenes. This keeps the user experience seamless, enables centralized credential management, and supports corporate compliance requirements.
From a Well-Architected Framework perspective:
- Security: Credentials are never stored in clear text in Azure AD; they are securely managed and protected. Reduces password fatigue and phishing risks by enabling conditional access policies.
- Operational Excellence: Minimizes application changes and accelerates migration timelines.
- Reliability: Provides high availability through Azure AD infrastructure.
- Cost Optimization: Avoids rewriting or replacing legacy apps immediately.
- Performance Efficiency: Leverages existing protocols with minimal overhead.
馃拵 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
馃攼 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
馃攼 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
-
Why not A (Header-Based Authentication)?
Header-based SSO requires the application and infrastructure to trust incoming HTTP headers for identity, which is not usually supported by legacy applications without customization and can expose security risks if not configured properly. -
Why not B (SAML)?
While SAML is a secure, widely supported federation protocol, the legacy app currently does not support any identity provider integration. Implementing SAML would require significant development or middleware. -
Why not D (OpenID Connect)?
OpenID Connect is a modern protocol ideal for web-native apps. However, the legacy application in this scenario cannot be modified to support OIDC tokens directly.
馃攼 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs鈥攁nd the failure points of simpler options鈥攊mmediately clear.
Diagram illustrating Azure AD Password-Based SSO flow leveraging Azure AD Application Proxy
graph TD
User([User Browser]) -->|Access app URL| AzureAD[Azure Active Directory]
AzureAD -->|Authenticate user| User
AzureAD -->|Provide SSO token| AppProxy[Azure AD Application Proxy]
AppProxy -->|Injects credentials securely| LegacyApp[Legacy Vacation App Server]
LegacyApp -->|Processes request| Database[(App DB)]
style AzureAD fill:#0078D4,stroke:#333,color:#fff
style AppProxy fill:#68217A,stroke:#333,color:#fff
style LegacyApp fill:#5C2D91,stroke:#333,color:#fff
Diagram Note: The user authenticates against Azure AD, which manages credentials securely and proxies the sign-in to the legacy app using password-based SSO, enabling seamless access without changing the app.
馃攼 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Header-Based | High | Low to Medium | Lightweight if supported; no credential storage | Legacy apps rarely support; security risks |
| B) SAML | Medium-High | Medium | Strong security; industry standard | Requires app federation support or rewrite |
| C) Password-based SSO | Low | Low-Medium (App Proxy) | Fast to deploy; no app changes; centralized creds | Requires secure credential handling setup |
| D) OpenID Connect | Medium-High | Medium to High | Modern protocol; robust security | Not supported by legacy app without rewrite |
馃攼 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made鈥攁nd often misjudged鈥攊n practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
“For the exam, always pick Password-based SSO when you see a legacy app that cannot support federation protocols natively but still needs SSO integration.”
Real World #
In practice, many enterprises use Azure AD Application Proxy with password-based SSO as a bridging strategy to onboard legacy on-premises apps rapidly into Azure AD. This buys time to modernize apps progressively while meeting governance and security policies enforced centrally through Azure AD.