SC-100 Question #326: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 subscription that contains a group named Group1. The subscription is linked to a Microsoft Entra ID P1 tenant. You have an external software as a service (SaaS) application named App1. App1 is managed by using a web-based admin portal and supports the use of Microsoft Entra ID credentials. You need to ensure that only the members of Group1 who sign in from Microsoft Entra joined devices can access the admin portal of App1. What should you create first in Microsoft Entra?

Options

• Aan enterprise application
• Ba Microsoft Entra application proxy connector group
• Ca Conditional Access policy
• Dan access package

Explanation

{"question_number": 8, "correct_answer": "C", "explanation": "A Conditional Access policy is the correct first object to create because it is the enforcement mechanism that combines both required conditions: group membership (only Group1) and device state (only Entra joined devices). Since App1 already supports Microsoft Entra ID credentials, it can already authenticate users through Entra - the missing piece is the policy that gates access based on device compliance and group scope. Creating the Conditional Access policy first establishes the security requirement; the enterprise application registration (A) may be auto-created or already exist when App1 federates with Entra. An application proxy connector group (B) is for on-premises apps, not SaaS. An access package (D) manages entitlement lifecycle, not real-time device-state enforcement.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.