Microsoft SC-300 Based on Real Exam Environment

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and the Microsoft Learn – “Manage Microsoft 365 Groups naming policies” documentation, group naming policies in Azure Active Directory (now Microsoft Entra ID) apply to end users who create Microsoft 365 groups, but do not apply to administrators who have roles that allow them to override naming restrictions.

The policy defines conventions such as prefixes, suffixes, blocked words, and enforced naming rules. However, certain administrative roles are exempt from this policy to allow organizational management and automation processes. The exempt roles are:

Global Administrator

User Administrator

These two roles can create Microsoft 365 groups without the naming policy constraints. Other users — including Groups Administrator and users without administrative roles — are subject to the naming policy when creating groups.

From the official documentation:

“Naming policies apply to all users who create groups, except for global administrators and user administrators. These roles can create groups that bypass the naming policy restrictions.”

Applying this rule:

User1 (Global Administrator) — exempt

User2 (User Administrator) — exempt

User3 (Groups Administrator) — affected by the policy

User4 (no role) — affected by the policy

When users accept or decline a Terms of Use (ToU) in Azure AD, these actions are recorded in the audit logs. The Microsoft Identity and Access Administrator documentation specifies that audit logs capture “Terms of use acceptance records” including who accepted, who declined, timestamp, and version of the ToU accepted.

The other options are incorrect because:

Provisioning logs capture provisioning events (not ToU).

Usage and Insights reports provide activity metrics, not compliance actions.

Sign-in logs capture authentication activity but not ToU acceptance.

Therefore, to identify which users accepted or declined Terms1, you should use the Audit logs in Azure AD.

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn modules on “Implement access management for apps” and “Implement Conditional Access policies” , Azure AD provides centralized identity and access management for integrated SaaS applications (such as Service1) that support Azure AD authentication and OAuth .

Ensure that users connect to Service1 without being prompted for authentication: When a third-party application is published in the Azure AD gallery , it supports federated single sign-on (SSO) using SAML, OAuth, or OpenID Connect. Registering the application as an enterprise application (rather than creating a new app registration) enables Azure AD to manage SSO automatically. The Microsoft documentation states:

“Enterprise applications from the Azure AD gallery can be configured for single sign-on so that users can access the app using their Azure AD credentials without being prompted to reauthenticate.”

Therefore, to achieve seamless sign-on with minimal administrative overhead, the correct option is An enterprise application in Azure AD .

Ensure that users can access Service1 only from Azure AD-joined computers: To restrict access based on device compliance or join status, Azure AD uses Conditional Access policies . Conditional Access allows enforcement of conditions such as “Require device to be marked as compliant” or “Require hybrid Azure AD-joined or Azure AD-joined device.” The official Microsoft guidance under “Plan and implement Conditional Access policies” confirms:

“You can enforce that users only access cloud resources from devices that are Azure AD-joined or compliant by applying Conditional Access device filters.”

Thus, to ensure that only Azure AD-joined devices can access Service1, you implement a Conditional Access policy .

 Feature: An MFA registration policy

 Grace period: 14 days

According to the Microsoft Identity and Access Administrator (SC-300) Study Guide and Microsoft Learn documentation under “Plan, implement, and manage multifactor authentication (MFA)” , when an organization wants to require users to register for multi-factor authentication methods (such as Microsoft Authenticator, phone number, or email), this is managed through the MFA registration policy within Azure AD Identity Protection.

This feature is called “Combined security information registration” or MFA registration policy, and it allows administrators to enforce users to register for MFA and Self-Service Password Reset (SSPR). The policy defines which users are required to register and sets a grace period — the amount of time a user can postpone registration after first being prompted.

From the Microsoft official exam reference:

“The MFA registration policy allows users to postpone registration for a defined grace period. The default and maximum supported value is 14 days.”

During the grace period, users can skip the registration prompt but will be reminded every time they sign in until they complete registration or the grace period expires. Once the 14-day period ends, users must register their authentication methods before accessing resources.

Therefore, based on Microsoft’s SC-300 study materials and Azure AD documentation:

The correct feature used to enforce this is An MFA registration policy.

The standard and maximum grace period before users must complete registration is 14 days.