Question 13 - Microsoft Identity SC-300 Real Exam Questions [Jan 2026 Update]

Q: 13

HOTSPOT Your company has a Microsoft 365 tenant. All users have computers that run Windows 10 and are joined to the Azure Active Directory (Azure AD) tenant. The company subscribes to a third-party cloud service named Service1. Service1 supports Azure AD authentication and authorization based on OAuth. Service1 is published to the Azure AD gallery. You need to recommend a solution to ensure that the users can connect to Service1 without being prompted for authentication. The solution must ensure that the users can access Service1 only from Azure AD-joined computers. The solution must minimize administrative effort. What should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Your Answer

Correct Answer:

CORRECT ANSWER: AN ENTERPRISE APPLICATION IN AZURE AD

CORRECT ANSWER: A CONDITIONAL ACCESS POLICY

Explanation

To enable Single Sign-On (SSO) for a third-party application from the Azure AD gallery, you must add it to your tenant. This process creates an enterprise application (a service principal object). This enterprise application represents the service in your tenant and is the object you configure for SSO. When users are already signed into their Azure AD-joined computers, Azure AD can then issue access tokens for this application without requiring users to re-enter their credentials.

Conditional Access policies are the primary tool in Azure AD for enforcing organizational access rules. To restrict access to a specific application based on the device's status, you would create a Conditional Access policy. This policy would target the "Service1" enterprise application and include a grant control that requires the connecting device to be Azure AD-joined, thereby blocking access from any device that does not meet this condition.

References

Microsoft Azure Active Directory Documentation, "What is application management in Azure Active Directory?": This document clarifies that an application added from the gallery to a tenant for SSO is represented as an "enterprise application." It states, "An enterprise application is an object in your Azure AD tenant that represents an application that has been configured for single sign-on." (learn.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management)

Microsoft Azure Active Directory Documentation, "What is Conditional Access?": This source defines Conditional Access as the tool used by Azure AD to bring signals together, to make decisions, and enforce organizational policies. It explicitly lists "device state" as a common signal. (learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview)

Microsoft Azure Active Directory Documentation, "Conditional Access: Conditions": This document details the specific conditions available for policies. The "Device platforms" and "Device state (deprecated)" conditions, along with grant controls like "Require Hybrid Azure AD joined device," demonstrate how Conditional Access is used to enforce device-based restrictions. (learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions)

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE