HOTSPOT -
You need to meet the technical requirements for the probability that user identities were compromised.
What should the users do first, and what should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
IMO, you would need to set up MFA before SSPR when as per requirement protecting against leaked credentials by implementing a sign-in risk remediation policy without blocking access. Ref. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identityprotection-remediate-unblock .
I agree that in reality, you would enable MFA as that is the best way to protect accounts, but I think this question is about setting up a User Risk Policy, and in that policy one of the settings is "Identity Protection -> User Risk Policy -> Controls -> Allow access -> Require password change". Therefore setting up SSPR is required to complete this task.
The answers are correct. The question is about probability that user identities were compromised User risk is a calculation of probability that an "identity" has been compromised. Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.
You are correct.
MFA and user risk policy is the answer for me. "When a user risk policy triggers: Administrators can require a secure password reset, requiring Azure AD MFA be done before the user creates a new password with SSPR, resetting the user risk." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies
It's User Risk and SSPR Within a User Risk policy, when setting the Controls - Access section, you only have two options: 1) you completely block the user 2) you allow the user access still, but they "Require password change" MFA would be related to Sign-In risk policy, not User Risk.
MFA is a requirement for enabling SSPR and there's no mention in the Introductory Info that MFA is already setup. See below URL for reference; https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr So for me it's MFA and User Risk Pol
MFA ans SSPR are two duistincts setups that look similar and therefore lots of people are getting confused. That is why Azure is now forccing the combined setup : Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined But since there is no mention of cpmbined setup SSPR it is
just pass the exam today. This came in the question. MFA + User Risk Policy
It's really hard to say. The Microsoft says the pros and cons. "To perform secure password change to self-remediate a user risk: The user must have registered for Azure AD MFA." and after some lines " Self-remediation with self-service password reset If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock
In the requirements: Users must be forced to change their password if there is a probability that the users' identity was compromised. You would need to register users for SSPR first and then create a user-risk policy that forces them to change their password.
Users-risky situation. Users must first have SSPR enabled first. And then you will need to configure User-risk policy
Require the user to reset password - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. This method only applies to users that are registered for Azure AD MFA and SSPR. For users that haven't been registered, this option isn't available.
On exam 7/18/24, used answered provided In the requirements: Users must be forced to change their password if there is a probability that the users' identity was compromised. You would need to register users for SSPR first and then create a user-risk policy that forces them to change their password.
SSPR A user risk policy
MFA is a requirement here.
On the exam - March 28, 2022
IMO, it is SSPR since MFA is not one of the requirements making me assuming MFA is already enabled. Also, in order to automate a password reset, SSPR needs to be enabled when the risky-user policy kicks in.
Yes, correct.