HOTSPOT Your company has a Microsoft 365 tenant. All users have computers that run Windows 10 and are joined to the Azure Active Directory (Azure AD) tenant. The company subscribes to a third-party cloud service named Service1. Service1 supports Azure AD authentication and authorization based on OAuth. Service1 is published to the Azure AD gallery. You need to recommend a solution to ensure that the users can connect to Service1 without being prompted for authentication. The solution must ensure that the users can access Service1 only from Azure AD-joined computers. The solution must minimize administrative effort. What should you recommend for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Enterprise application in Azure AD, then use Conditional Access policy. That covers SSO for the app and lets you restrict sign-ins to just Azure AD-joined devices, with low admin overhead. Seen similar patterns in MS docs and official practice tests, so I'm pretty confident here.
Yep, enterprise app in Azure AD for the SSO part and Conditional Access to limit by device type. Super quick to set up since Service1 is in the gallery. I think that's the minimum effort solution here.
Azure AD App Registration and security group assignment. I figured app registration is how you hook up SSO for OAuth apps, and using a group would limit who can access Service1. Not totally sure if that's enough to make sure only Azure AD-joined devices are allowed though. Anyone disagree?
