You are the administrator of the Azure Active Directory (Azure AD) tenant and the Active Directory Domain Services (AD DS) on-premises domain in your company. Your company uses Office 365 as well as other third-parties cloud services. Your company uses Windows 8.1 and Windows 10 domain client computers.
Your company wants to allow all employees to use their own devices to access the company's resources, using a Bring Your Own Device (BYOD) approach.
You need to ensure that your company's assets are still protected while allowing the employees to use their own devices. You also need to keep your current device management capabilities. You plan to deploy Azure AD Join. You should ensure that your solution allows Single Sign-On (SSO).
Which two tools should you deploy? Each correct answer presents part of the solution.
You should deploy Active Directory Federation Services (AD FS). You need to implement SSO, but you still need to allow your users to access third-parties cloud services. Deploying AD FS allows you to manage all the authentication methods in your on-premises AD DS domain, while establishing trust relationships with cloud services for authenticating your users.
Also, you should deploy System Center Configuration Manager (SCCM). This solution allows you to manage your on-premises workstations. You should also deploy a Mobile Device Management (MDM) solution such as Windows Intune. This way, you can manage Azure AD joined devices with the MDM solution and your on-premises workstations with SCCM.
You should not deploy Azure AD Connect. In this scenario, you need to implement SSO so users can access third-parties cloud services. You can only achieve this by using AD FS, not Azure AD Connect.
You should not upgrade all domain client computers to Windows 10. Although having Windows 10 installed on all your workstations is a best-practice, this is not a requirement in an Azure AD Join hybrid deployment. You can use Windows down-level devices such as Windows 7 and 8.1 or Windows Server 2008 R2 through 2012 R2.