SC-300 Exam Dumps : Microsoft Identity and Access Administrator

To enforce a Terms of Use (ToU) prompt when users sign in, the SC-300 exam and Microsoft Learn materials specify configuring it under a Conditional Access policy. The ToU object must first be created in Microsoft Entra ID → Identity Governance → Terms of Use, then linked to a Conditional Access policy via Grant Controls → Require Terms of Use.

Access packages and lifecycle workflows (A, C) handle identity lifecycle and provisioning, not authentication-time prompts. Authentication methods (D) manage how users sign in but not policy-based ToU enforcement.

According to the Microsoft SC-300: Microsoft Identity and Access Administrator Study Guide and Microsoft Learn documentation on Azure AD group assignments for enterprise applications, only specific group types in Azure AD can be assigned to enterprise applications (service principals).

Azure AD allows group-based assignment for enterprise applications only when the group is a Security group or a Mail-enabled security group. This is because Azure AD uses security groups for authorization purposes.

Let’s analyze the groups from the table:

Group

Type

Assignable to App1?

Reason

Group1

Security

✅ Yes

Security groups are used for managing access permissions and can be assigned to apps.

Group2

Distribution

❌ No

Distribution groups are used for email distribution lists and cannot be used for access management.

Group3

Microsoft 365

❌ No

Microsoft 365 (formerly Office 365) groups manage collaboration resources like Teams and SharePoint but are not supported for enterprise app assignments.

Group4

Mail-enabled security

✅ Yes

Mail-enabled security groups combine mailing capabilities with security functionality and can be used to assign permissions to applications.

The Microsoft documentation states:

“You can assign access to enterprise applications in Azure AD to users, security groups, and mail-enabled security groups. Distribution lists and Microsoft 365 groups are not supported for app assignments.”

Thus, for App1, which is an enterprise application, you can assign only Group1 (Security) and Group4 (Mail-enabled Security).

In Microsoft Entra ID (Azure AD), the per-user device cap is controlled in Devices > Device settings. The SC-300 materials describe that administrators can configure “Users may join devices to Azure AD” and the “Maximum number of devices per user”. The guide notes that this limit defaults to five and is used to “control how many devices a user can join or register in Azure AD”; when users reach the limit, “they cannot add additional devices until the limit is increased or an existing device is removed.” For scenarios like field or sales staff who use multiple devices, the study content recommends adjusting this value to meet business needs. Because A. Datum’s sales users hit the current cap and a requirement states “Increase the maximum number of devices that can be joined or registered to Azure AD to 10,” the fix is to change the tenant’s Device settings—not User settings, Access reviews, or Security defaults. This aligns with the exam objective to configure device settings for Azure AD join and registration and addresses the precise symptom reported by users.