Litware, Inc. is a financial services company operating out of main offices in New York and San Francisco, with 30 branch offices and remote employees dispersed throughout the United States. The organization plans to establish a management group hierarchy for each Azure AD tenant, develop a landing zone strategy, and implement Azure AD Application Proxy to securely access internal applications. Litware's existing infrastructure includes an Azure AD tenant that synchronizes with an AD DS forest, multiple AD DS forests, various Azure AD tenants, and hundreds of Azure subscriptions. Key objectives include reducing on-premises infrastructure and operational costs, centralizing cross-tenant subscription management, enforcing compliance with Azure Policy, and using Microsoft Sentinel for security operations. The company also aims to detect brute force attacks, implement leaked credential detection, and delegate user and group management within Azure AD. The landing zone strategy must ensure routing all internet-bound traffic through Azure Firewall, securing communication between virtual machines and web apps over the Microsoft backbone network, minimizing data exfiltration, and delivering a secure score specific to the landing zone. Given these requirements, what configuration should be applied to secure each landing zone?