A company has an on-premises web-based expense report application. The IT team wants to make this application accessible to remote employees over the internet without requiring a VPN. They need to use Microsoft Entra ID for authentication and apply Conditional Access policies such as requiring multi-factor authentication. Which Microsoft Entra ID feature should they implement?
Application Proxy publishes on-premises apps through the cloud, allowing remote users to access them securely with Entra ID authentication and Conditional Access.
Why this answer
Azure AD Application Proxy allows on-premises web applications to be published for remote access without a VPN. It integrates with Microsoft Entra ID for authentication and supports Conditional Access policies, including multi-factor authentication, by acting as a reverse proxy that forwards authenticated requests to the internal application.
Exam trap
The trap here is that candidates may confuse Azure AD Application Proxy with a VPN solution or think that Azure AD Domain Services is needed for authentication, but the key is that Application Proxy specifically publishes on-premises web apps with Entra ID authentication and Conditional Access support without requiring a VPN.
How to eliminate wrong answers
Option B is wrong because Self-service password reset (SSPR) is a feature for users to reset their own passwords, not for publishing on-premises applications or enabling remote access without a VPN. Option C is wrong because Azure AD B2B collaboration is designed for sharing applications and resources with external guest users from partner organizations, not for providing remote access to internal employees for an on-premises app. Option D is wrong because Azure AD Domain Services provides managed domain services like LDAP and Kerberos for Azure VMs, not a reverse proxy solution for web application access.