AZ-104 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-104 Exam - Question 532

HOTSPOT -

You have an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com that contains the users shown in the following table.

Exam AZ-104 Question 532

You enable password reset for contoso.onmicrosoft.com as shown in the Password Reset exhibit. (Click the Password Reset tab.)

Exam AZ-104 Question 532

You configure the authentication methods for password reset as shown in the Authentication Methods exhibit. (Click the Authentication Methods tab.)

Exam AZ-104 Question 532

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Exam AZ-104 Question 532
Show Answer
Correct Answer:
Exam AZ-104 Question 532

Discussion

42 comments
Sign in to comment
fedztedz
Dec 31, 2020

Answer is not correct. It should be - NO: User2 needs 2 authentication methods. Security questions are not enough to reset password - NO: User1 is not part of the SSPR Group1 - NO: to be able to add security questions to the process. you need Global admin role https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites & https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions

DodgyD
Jan 17, 2021

Agree: User administrator role do not have permissions to manage MFA.

vikki
Feb 2, 2021

Did not see exactly the information regarding to add security questions to the process, however I do find that User Administrator permission is able to reset password from the link. https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#password-reset-permissions

marcellov
May 9, 2021

Besides the Global Admin role, that you should not give to anyone, if you want to configure MFA for non-admin users only use Authentication Administrator role and if you want to configure MFA for all users including admin users, use Privileged Authentication Administrator role.

mrshegz
Aug 2, 2021

what is SSPR

raydel92
Sep 15, 2021

Self Service Password Reset

Takloy
Nov 22, 2021

Sometimes, Some People Remember...

mdmahanti
Jul 25, 2022

Sometime, Silly Points Resurface

mdmahanti
Jul 25, 2022

Sometime, Silly Points Resurface

raydel92
Sep 15, 2021

Self Service Password Reset

Takloy
Nov 22, 2021

Sometimes, Some People Remember...

mdmahanti
Jul 25, 2022

Sometime, Silly Points Resurface

ZacAz104
Jan 23, 2022

2 methods available not mandatory so the correct answer i think is Yes-No-No

Hyrydar
Jun 30, 2022

At the top it says `number of methods required to reset'. The key word there is required. And the mobile phone and security question checkboxes were selected, meaning both methods MUST be used in order to be allowed to reset the password...otherwise nay.

Hyrydar
Jun 30, 2022

At the top it says `number of methods required to reset'. The key word there is required. And the mobile phone and security question checkboxes were selected, meaning both methods MUST be used in order to be allowed to reset the password...otherwise nay.

mdmahanti
Jul 25, 2022

Sometime, Silly Points Resurface

picho707
Jun 6, 2023

See below what MS Chat AI has to say about this: Stop Responding Yes, user administrators can manage self-service password reset policies. By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can’t be changed

LovelyGroovey
Mar 17, 2024

This is a crazy question!! I think the answer should be No, Yes, Yes. Microsoft needs to assess their exam questions. This is not right!! 1st one should be No. According to the Azure Active Directory settings described in the images, two methods are required to reset the password. Therefore, even if User2 answers three security questions correctly, he cannot reset his password immediately because he needs to provide a second method of authentication as well. This ensures an additional layer of security for the password reset process.

LovelyGroovey
Mar 17, 2024

2nd question should be Yes. If User1 forgets her password, she can reset it using the mobile phone app. This is based on the Azure Active Directory settings that allow all users to reset their passwords using the available authentication methods they’ve registered for, which includes the mobile phone app. The settings apply to all end-users, enabling User1 to use the mobile app for password reset.

LovelyGroovey
Mar 17, 2024

3rd question should be Yes. User3, who has the role of “User administrator,” can add security questions to the password reset process. This is because user administrators have the permissions to manage and modify the authentication methods available for password reset within Azure Active Directory, which includes the ability to add security questions.

mlantonis
May 18, 2021

C0rrect Answer: Box 1: No Two methods are required (Mobile phone and Security questions). Box 2: No Self-service password reset is only enabled for Group2, and User1 is not a member of Group2. Box 3: No To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot add security questions to the reset process. User Administrator doesn’t have MFA permissions. Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/quickstart-sspr https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-passwords-faq https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#prerequisites https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

janshal
Dec 27, 2020

NO NO NO Tested!

Sorrynotsorry
Dec 8, 2020

I think it is NO NO NO. the third one; user administrators can't use secret questions as a password reset method. this is an enforced Azure policy for administrators https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

corex7
Dec 22, 2020

They can´t use it themself, but i think the question is here if they are able to ADD more than the 10x in the picture

jimmyli
Dec 26, 2020

that's my understanding as well. User admin can only grant user access, but cannot manage Azure resources such as changing security questions, etc.

PBA1211
Jan 27, 2021

it is No,No No 1st no, because 2 methods requierd 2nd no, because wrong groupmembership 3td no, User 3 is not "An account with Global Administrator privileges.'

JohnPC
Mar 16, 2021

First two are No, for obvious reasons. Third is No, user administrator doesn't have the ability to access Password Reset in Azure AD, as the option is greyed out - tested and confirmed. Only Global admins can add security questions from a predefined or custom created list of security questions. Also, user admins have an admin role so their ability to change their own security questions are not available, as stated, "With two-gate policy, administrators don't have the ability to use security questions". https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy This was tested by setting up a new account with user admin role; security questions wasn't an option when setting up other authentication methods during first sign in.

david76x
Jan 14, 2021

No, No, No is the correct answer. I'd like to know if the person who wrote these dumps actually passed their AZ-104!?

ZUMY
Mar 5, 2021

No-No-No

benvdw
Mar 13, 2022

on exam 13/3/2022

ra_aly
Mar 27, 2022

why azure exams are so confusing and there is a lack of knowledge, there are conflicting opinions and unclear direction.

Lazylinux
Jun 27, 2022

It is Microsoft my friend..Tell me anything about Microsoft that makes sense..yet people buy it!! Linux is the King Kong of the Universe

typales2005
Jan 12, 2023

Was on the 09/01/2023 exam.

mikl
Feb 15, 2021

1. No - requires 2 methods. 2. No - Group1 can't. 3. No - User Administrator doesnt have MFA permissions. Source : https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions

toniiv
Feb 20, 2021

Last answer is NO also, User Administrator cannot modify this settings: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator-permissions

lucky_18
Jun 29, 2021

came in exam on June 28 2021

klexams
Oct 30, 2022

N - need mobile phone too N - user2 is not in the group1 N - apparently it needs GA

Aghora
Dec 12, 2020

tested user admin with P2 lice and got no access but the following link say I can ..go figure . https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task

TiredofTesting
Mar 26, 2021

Answer is NO NO NO 3) User3 = user administrator With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. A two-gate policy applies in the following circumstances: All the following Azure administrator roles are affected: Helpdesk administrator Service support administrator Billing administrator Partner Tier1 Support Partner Tier2 Support Exchange administrator Mailbox Administrator Skype for Business administrator User administrator

wsscool
Jul 3, 2021

in exam 7/3/2021, answered NNN

Lazylinux
Jun 13, 2022

For sure NO NO NO and as per others comments - read mlantonis

EmnCours
Aug 28, 2022

Box 1: No Two methods are required (Mobile phone and Security questions). Box 2: No Self-service password reset is only enabled for Group2, and User1 is not a member of Group2. Box 3: No To be able to add Security questions to the process, you need to be a Global Administrator. User3 is User Administrator, so User3 cannot add security questions to the reset process. User Administrator doesn’t have MFA permissions.

morito
Mar 11, 2023

Took a bit of digging, but here are my answers: - NO: User2 must provide two authentication methods before they can reset their password - NO: User 1 is not enabled for SSPR - NO: A User must have the role of global Administrator or Authentication Policy Administrator to change SSPR (https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr).

NickyDee
Dec 27, 2020

With a two-gate policy, administrators don't have the ability to use security questions.

carterbest
Jan 11, 2021

one thing is certain administrators of different kind use stronger kind password reset and its using multifactor authentication

Wucrib
Jan 17, 2021

Answer is correct. There are 2 self service password resets; one for end users and one for admins(always enabled). Clearly states Group 2 has pw reset enabled not end-users so 2nd question is right. Questions 1 and 2 are self explanatory I think.

ivantchev
Jan 24, 2021

N,N,N - we have a lot of wrong dump questions here as a whole. Just make sure to practice to test if in doubt

JayBee65
Jun 4, 2021

To confirm 3 is No: https://docs.microsoft.com/en-us/answers/questions/356305/in-azure-could-the-user-administrator-have-permiss.html

korben_dallas
Jul 3, 2021

1. Y Authentication methods When a user is enabled for SSPR, they must register at least one authentication method. We highly recommend that you choose two or more authentication methods so that your users have more flexibility in case they're unable to access one method when they need it. For more information, see What are authentication methods?. The following authentication methods are available for SSPR: Mobile app notification Mobile app code Email Mobile phone Office phone (available only for tenants with paid subscriptions) Security questions 2.NO NO: User1 is not part of the SSPR Group1 3. NO - You need Global Admin role

Kpup
Jul 28, 2021

Still learning azure so excuse the lack of knowledge but the sspr is targetted at group 2, user 1 is not a member, so could they not reset using the mobile app?

ravi000001
Aug 23, 2021

NO NO NO Reference: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

dani12
Aug 18, 2022

SSP stands for Self Service Password reset.

zellck
Feb 11, 2023

NNN is the answer. https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

zellck
Feb 13, 2023

Got this in Feb 2023 exam.

Josete1106
Jul 21, 2023

N N N is correct!

PrepaCertif
Sep 15, 2023

Tested in LAB : No, No, No

Amir1909
Feb 14, 2024

No No No

[Removed]
Oct 4, 2024

WRONG.. No No No

RNZLR
Feb 21, 2021

it says "number of questions required to reset = 3". why is everyone stuck on the two METHODS? you need to answer 3 questions. the security question option itself is ONE METHOD. i'd say yes,no,no

StixxNSnares
Mar 2, 2021

It says Number of methods required to reset - 2 (Mobile and Security questions) That being said, just answering the sec questions is not enough.

CloudyTech
Jul 6, 2021

NoNoNo , User admin cannot add

ZacAz104
Jan 23, 2022

correct answer i think is Yes-No-No because user2 is only member of Group2

RKETBO
Dec 9, 2022

The Number of methods required to reset option determines the minimum number of available authentication methods or gates a user must go through to reset or unlock his password. It can be set to either 1 or 2. Since this option is set to 2, user2 will not be able to reset his password after only one method has been run. User1 is a member of group1. Self-service password reset is enabled only for group2. As a user administrator, user3 cannot add security questions to the reset process. The following Technet articles contain more information about the topic https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

djgodzilla
Mar 4, 2023

Box 1: No Two methods are required (Mobile / Security questions). Box 2: No Self-service password reset is only enabled for Group2, and User1 is not a member of Group2. Box 3: No User3 is User Administrator, With a two-gate policy, administrators don't have the ability to use security questions. Admin users cannot do the following: - Cannot manage MFA. - Cannot change the credentials or reset MFA for members and owners of a role-assignable group. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator

djgodzilla
Mar 4, 2023

Only Authentication administrators can do so not global globa can give authentication admin role to someone though).

Teroristo
Jul 31, 2023

NNN https://learn.microsoft.com/en-us/answers/questions/356305/in-azure-could-the-user-administrator-have-permiss

8ac3742
Apr 14, 2025

User Access Admin role cannot change the security questions of self service reset password: User Access Admin is one RBAC role, it can only grant RBAC role to the user to access the Azure resources. Global Admin is Entra role, it can manage user, group and domain so it can change the security questions of self service password reset.

8ac3742
Apr 15, 2025

My bad, it's User Admin not User Access Admin, but user3 can still not use security questions in self service reset password because admin role cannot use security questions in self service reset password.