AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 498

HOTSPOT -

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active

Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:

✑ Number of methods required to reset: 2

✑ Methods available to users: Mobile phone, Security questions

✑ Number of questions required to register: 3

✑ Number of questions required to reset: 3

You select the following security questions:

✑ What is your favorite food?

✑ In what city was your first job?

✑ What was the name of your first pet?

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Show Answer
Correct Answer:

Box 1: No -

Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:

On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD. An administrator cannot use secret

Questions & Answers as a method to reset password.

Box 2: Yes -

Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.

Box 3: Yes -

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment

Discussion

17 comments
Sign in to comment
Mozbius_
Apr 21, 2022

By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences Therefore I would say N N Y as SecAdmin1 and BillAdmin1 are both administrators. NOTE: I have tried to test in lab but was unsuccessful (somehow SSPR isn't even recognized as being enabled, hell one of the user is taking forever to show an updated assigned role).

Mtijnz0r
Apr 25, 2022

SSPR for Administrators isn't enabled on the tenant. SSPR for Administrators (SSPR-A) was the first implementation of SSPR. After SSPR for Users (SSPR-U) was introduced, users could have two separate configurations. The old SSPR-A implementation is used when an Azure AD account has an admin role, such as Global Administrator or Billing Administrator. However, the SSPR management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be enabled on the tenant. https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-009

Citmerian
Oct 24, 2022

Answer: NO, NO, YES https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.

AzureMasterChamp
Mar 7, 2023

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

awssecuritynewbie
Oct 1, 2022

So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR." so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first line of the link. PLEASE LIKE THIS COMMENT Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions

DonVish
Dec 14, 2022

So it SSPR is not used for any kind of administrator ? Global , Local ..etc. ?

Lexxsuse
Dec 19, 2022

Admins CAN use SSPR. But they can not use security questions to reset passwords.

ki01
Dec 18, 2023

LIKE SHARE AND SUBSCRIBE!

zellck
Feb 11, 2023

NNY is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. All the following Azure administrator roles are affected: - Billing administrator - Security administrator

TripleFires
Feb 5, 2024

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-password-policy-differences >>> The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID. A two-gate policy applies in the following circumstances: All the following Azure administrator roles are affected: Application administrator Application proxy service administrator Authentication administrator Billing administrator ...... Security administrator

MatAlves
Feb 11, 2024

So N-N-Y?

bobothewiseman
Mar 23, 2024

Yes. Its N N Y Administrators (includes Security and Billing) requires 2 gate policy, excluding Security questions .

LauLauLauw
Jan 25, 2023

NNY https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences This link shows the list of administrators that arre not able to use security questions.

RougePotatoe
Feb 11, 2023

N N Y "Administrator accounts can't use security questions as verification method with SSPR." https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions

oopspruu
Aug 21, 2023

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences NNY

kmsalman
Apr 27, 2023

Number of security questions required to reset password is 3. My opinion is that user can also not self reset the password by answering just one question. So the Answer should be N, N, N

Elecktrus
Aug 15, 2023

Re-read the question. They are asking about if user1 will have to answer this question (but no ONLY this question). Of course user1 must answer the 2 qustions. They are not asking about reset password, but answer that question

NurSalman
Jun 30, 2023

How can you have this question wrong?

Amir1909
Feb 12, 2024

No No Yes

omerco61
Dec 18, 2022

NNY "Administrator accounts can't use security questions as verification method with SSPR." Quote from microsoft Link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions

azhunter
Jan 5, 2023

Answer is NNY

Josete1106
Jul 21, 2023

N N Y is correct!

KM
Aug 31, 2023

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment NYY

PhoenixAscending
Feb 1, 2024

This was on my exam. I think the correct answer is provided by Mozbius.

Ottris
May 23, 2024

Number of methods required to reset the password is 2. N N N

roses2021
Jul 21, 2024

NNY Refer to Microsoft article: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-password-policy-differences