Exam SC-300 topic 7 question 1 discussion

IMO, you would need to set up MFA before SSPR when as per requirement protecting against leaked credentials by implementing a sign-in risk remediation policy without blocking access. Ref. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identityprotection-remediate-unblock .

The answers are correct. The question is about probability that user identities were compromised User risk is a calculation of probability that an "identity" has been compromised. Administrators can choose to block access, allow access, or allow access but require a password change using Azure AD self-service password reset.

On exam 7/18/24, used answered provided In the requirements: Users must be forced to change their password if there is a probability that the users' identity was compromised. You would need to register users for SSPR first and then create a user-risk policy that forces them to change their password.

In the requirements: Users must be forced to change their password if there is a probability that the users' identity was compromised. You would need to register users for SSPR first and then create a user-risk policy that forces them to change their password.

SSPR A user risk policy

It's really hard to say. The Microsoft says the pros and cons. "To perform secure password change to self-remediate a user risk: The user must have registered for Azure AD MFA." and after some lines " Self-remediation with self-service password reset If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock

MFA and user risk policy is the answer for me. "When a user risk policy triggers: Administrators can require a secure password reset, requiring Azure AD MFA be done before the user creates a new password with SSPR, resetting the user risk." https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

It's User Risk and SSPR Within a User Risk policy, when setting the Controls - Access section, you only have two options: 1) you completely block the user 2) you allow the user access still, but they "Require password change" MFA would be related to Sign-In risk policy, not User Risk.

MFA is a requirement here.

MFA ans SSPR are two duistincts setups that look similar and therefore lots of people are getting confused. That is why Azure is now forccing the combined setup : Before combined registration, users registered authentication methods for Azure AD Multi-Factor Authentication and self-service password reset (SSPR) separately. People were confused that similar methods were used for Multi-Factor Authentication and SSPR but they had to register for both features. Now, with combined registration, users can register once and get the benefits of both Multi-Factor Authentication and SSPR. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined But since there is no mention of cpmbined setup SSPR it is

MFA is a requirement for enabling SSPR and there's no mention in the Introductory Info that MFA is already setup. See below URL for reference; https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr So for me it's MFA and User Risk Pol

Users-risky situation. Users must first have SSPR enabled first. And then you will need to configure User-risk policy

On the exam - March 28, 2022

just pass the exam today. This came in the question. MFA + User Risk Policy

IMO, it is SSPR since MFA is not one of the requirements making me assuming MFA is already enabled. Also, in order to automate a password reset, SSPR needs to be enabled when the risky-user policy kicks in.

Require the user to reset password - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. This method only applies to users that are registered for Azure AD MFA and SSPR. For users that haven't been registered, this option isn't available.

Yes, correct.