Your organization, Fabrikam Inc., is migrating from on-premises Active Directory to Microsoft Entra ID. You have a custom line-of-business (LOB) application that uses Windows Integrated Authentication (WIA) and requires Kerberos delegation. The application will be hosted on Azure VMs. You need to enable users to sign in to the LOB application using their Microsoft Entra ID credentials without exposing the application to the internet. Which approach should you use?
Application Proxy provides secure remote access and supports KCD for WIA apps.
Why this answer
Option B is correct because Microsoft Entra Application Proxy with Kerberos Constrained Delegation (KCD) allows you to publish an on-premises or Azure VM-hosted application that uses Windows Integrated Authentication (WIA) without exposing it to the internet. The Application Proxy service handles pre-authentication with Microsoft Entra ID, then uses KCD to obtain a Kerberos ticket on behalf of the user, enabling seamless sign-in with Entra ID credentials while keeping the application internal.
Exam trap
The trap here is that candidates often confuse Microsoft Entra Domain Services with a full replacement for on-premises Active Directory, not realizing that it does not provide the Kerberos delegation path needed for Application Proxy to work with WIA, and they overlook the requirement to keep the application off the internet, which eliminates VPN-based options.
How to eliminate wrong answers
Option A is wrong because Microsoft Entra Domain Services provides a managed domain with Kerberos and NTLM support, but it does not integrate with Microsoft Entra ID for user authentication in the way required; users would still need to authenticate against the managed domain, not directly with their Entra ID credentials, and the application would be exposed to the internet unless additional measures are taken. Option C is wrong because setting up a site-to-site VPN and joining Azure VMs to the on-premises domain requires the application to be exposed to the internet or rely on the VPN for connectivity, and it does not enable users to sign in using their Microsoft Entra ID credentials—they would still need on-premises Active Directory credentials. Option D is wrong because installing Azure AD Connect and syncing users to Entra ID does not address the need for Kerberos delegation or Windows Integrated Authentication; configuring the app to use OAuth 2.0 would require rewriting the application to support modern authentication, which is not a migration approach for a legacy WIA app.