Exam AZ-103 topic 5 question 24 discussion

imho it is: No, No, No. A User Administrator is not able to change these settings.

1) No : Because they have chosen number of methods required to reset :2 (Its not optional now) 2) No because user one does not belong to grp 2 , which is selected for password reset 3) No: because it cant be done by User admin. It has to be done by Global Admin: see in link below , it says to log in as Global Admin https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

The answers should be No, No, No. There has no such a role called User Administritor! If User3 were User Access Administrator, then the third one would be 'Yes'. Really suspect the questions here are not from Microsoft because of so many wrongs.

in my test answer 3 is NO

NO NO NO user admin can not enable or play with MFA https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task

Note Security questions are stored privately and securely on a user object in the directory and can only be answered by you during registration. There is no way for your administrator to read or modify your questions or answers. If you don't see the security questions option, it's possible that your organization doesn't allow you to use security questions for verification. If this is the case, you'll need to choose another method or contact your administrator for more help. Administrator accounts are not allowed to use Security Questions as a password reset method. If you are logged in as an admin level account you will not see these options.

NO No No I will choose as per discussion

No one knows strongly what the correct answer is?

Given answers are correct..

Third is wrong, the correct answer is NO. I have tested it and a User administrator has the option to configure password reset grayed out.

box1: Yes Two methods are options either use Mobile phone or Security Questions to reset the password. So the user 2 choose Security questions to reset the password, after answer 3 security questions, he can reset his password . Unless his answers wrong.

User2 needs 2 methods. Agree!!

Third question is No. Tested it. User Administrator role does not have access to Azure Active Directory > Password Reset

User2 is member of group2 and it has SSPR enabled. The requirement is 3 question to reset the password. So first one is YES

User2: Two authentication methods are required for password reset as per the exhibit. User1: Self-service password reset is only enabled for Group2 (User1 is not a member of Group2). User3: has an administrator role assigned that DOES NOT support security questions as the second authentication method for password reset: Microsoft enforces a strong default two-gate password reset policy for any Azure administrator role. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy

Yes, the satisfaction of one of the options is enough to proceed: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks No, not a member of the right group No, "User with this role do not have permissions to manage MFA." https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#user-administrator

Answers are correct. To test this u need a Azure AD P2 licence.