AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is migrating applications to AWS. The applications are deployed in different accounts. The company manages the accounts centrally by using AWS Organizations. The company's security team needs a single sign-on (SSO) solution across all the company's accounts. The company must continue managing the users and groups in its on-premises self-managed Microsoft Active Directory.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.

Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.

Use AWS Directory Service. Create a two-way trust relationship with the company’s self-managed Microsoft Active Directory.

Deploy an identity provider (IdP) on premises. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.

Explanation:

Explanation

Correct Answer: A

This solution meets all the requirements:

AWS SSO provides single sign-on across all AWS accounts managed by AWS Organizations
AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) can establish a trust relationship with the on-premises Active Directory
One-way forest/domain trust allows authentication requests to flow from AWS to the on-premises AD while keeping user management on-premises

Why other options are incorrect:

B. Two-way forest trust is unnecessary and potentially less secure. A one-way trust is sufficient for AWS SSO to authenticate users against the on-premises AD.

C. Using only AWS Directory Service without AWS SSO doesn't provide the centralized SSO solution across multiple accounts that AWS Organizations integration provides.

D. Deploying an on-premises IdP adds unnecessary complexity. AWS SSO can directly integrate with on-premises AD through AWS Managed Microsoft AD with trust relationships.

Key AWS Services Involved:

AWS SSO: Provides centralized SSO access to multiple AWS accounts and business applications
AWS Directory Service for Microsoft Active Directory: Creates a managed Microsoft AD in AWS that can establish trust with on-premises AD
AWS Organizations: Manages multiple AWS accounts centrally

Architecture Flow:

Users are managed in on-premises Active Directory
AWS Managed Microsoft AD establishes a one-way trust with on-premises AD
AWS SSO is configured to use AWS Managed Microsoft AD as identity source
Users can SSO into all AWS accounts managed by AWS Organizations using their on-premises AD credentials

Powered ByGPT-5.2

Comments

Loading comments...