Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Microsoft Discussions

Exam AZ-104 topic 6 question 12 discussion

Actual exam question from Microsoft's AZ-104
Question #: 12
Topic #: 6
[All AZ-104 Questions]

HOTSPOT -
You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant is synced to the on-premises Active
Directory domain. The domain contains the users shown in the following table.

You enable self-service password reset (SSPR) for all users and configure SSPR to have the following authentication methods:
✑ Number of methods required to reset: 2
✑ Methods available to users: Mobile phone, Security questions
✑ Number of questions required to register: 3
✑ Number of questions required to reset: 3
You select the following security questions:
✑ What is your favorite food?
✑ In what city was your first job?
✑ What was the name of your first pet?
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
Administrator accounts are special accounts with elevated permissions. To secure them, the following restrictions apply to changing passwords of administrators:
On-premises enterprise administrators or domain administrators cannot reset their password through Self-service password reset (SSPR). They can only change their password in their on-premises environment. Thus, we recommend not syncing on-prem AD admin accounts to Azure AD. An administrator cannot use secret
Questions & Answers as a method to reset password.

Box 2: Yes -
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset their passwords without needing to contact IT staff.

Box 3: Yes -
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
by Mozbius_ at April 21, 2022, 3:42 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Mozbius_
Highly Voted 1 year, 7 months ago
By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences Therefore I would say N N Y as SecAdmin1 and BillAdmin1 are both administrators. NOTE: I have tried to test in lab but was unsuccessful (somehow SSPR isn't even recognized as being enabled, hell one of the user is taking forever to show an updated assigned role).
upvoted 56 times
Citmerian
1 year, 1 month ago
Answer: NO, NO, YES https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number.
upvoted 15 times
AzureMasterChamp
9 months, 1 week ago
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 1 times
...
...
Mtijnz0r
1 year, 7 months ago
SSPR for Administrators isn't enabled on the tenant. SSPR for Administrators (SSPR-A) was the first implementation of SSPR. After SSPR for Users (SSPR-U) was introduced, users could have two separate configurations. The old SSPR-A implementation is used when an Azure AD account has an admin role, such as Global Administrator or Billing Administrator. However, the SSPR management on the Azure portal is for SSPR-U only. Therefore, SSPR-A might not be enabled on the tenant. https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/password-writeback-error-code-sspr-009
upvoted 4 times
...
...
awssecuritynewbie
Highly Voted 1 year, 2 months ago
So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR." so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first line of the link. PLEASE LIKE THIS COMMENT Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 39 times
DonVish
12 months ago
So it SSPR is not used for any kind of administrator ? Global , Local ..etc. ?
upvoted 1 times
Lexxsuse
11 months, 3 weeks ago
Admins CAN use SSPR. But they can not use security questions to reset passwords.
upvoted 3 times
...
...
...
KM
Most Recent 3 months, 1 week ago
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment NYY
upvoted 1 times
...
oopspruu
3 months, 3 weeks ago
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences NNY
upvoted 3 times
...
Josete1106
4 months, 3 weeks ago
N N Y is correct!
upvoted 1 times
...
NurSalman
5 months, 1 week ago
How can you have this question wrong?
upvoted 1 times
...
kmsalman
7 months, 2 weeks ago
Number of security questions required to reset password is 3. My opinion is that user can also not self reset the password by answering just one question. So the Answer should be N, N, N
upvoted 2 times
Elecktrus
3 months, 3 weeks ago
Re-read the question. They are asking about if user1 will have to answer this question (but no ONLY this question). Of course user1 must answer the 2 qustions. They are not asking about reset password, but answer that question
upvoted 1 times
...
...
zellck
10 months ago
NNY is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. All the following Azure administrator roles are affected: - Billing administrator - Security administrator
upvoted 7 times
...
RougePotatoe
10 months ago
N N Y "Administrator accounts can't use security questions as verification method with SSPR." https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 3 times
...
LauLauLauw
10 months, 2 weeks ago
NNY https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences This link shows the list of administrators that arre not able to use security questions.
upvoted 3 times
...
azhunter
11 months, 1 week ago
Answer is NNY
upvoted 1 times
...
omerco61
11 months, 3 weeks ago
NNY "Administrator accounts can't use security questions as verification method with SSPR." Quote from microsoft Link: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions
upvoted 1 times
...
compldc72
1 year, 1 month ago
Agree with N N Y
upvoted 2 times
...
klexams
1 year, 1 month ago
N N Y All the following Azure administrator roles are affected: Application administrator Application proxy service administrator Authentication administrator Azure AD Joined Device Local Administrator Billing administrator Compliance administrator Device administrators Directory synchronization accounts Directory writers Dynamics 365 administrator Exchange administrator Global administrator or company administrator Helpdesk administrator Intune administrator Mailbox Administrator Partner Tier1 Support Partner Tier2 Support Password administrator Power BI service administrator Privileged Authentication administrator Privileged role administrator Security administrator Service support administrator SharePoint administrator Skype for Business administrator User administrator
upvoted 11 times
...
aye_kyaw
1 year, 1 month ago
NNY With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences
upvoted 1 times
...
adrianspa
1 year, 1 month ago
YYN, check https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy
upvoted 2 times
...
majerly
1 year, 2 months ago
NNY, With a two-gate policy, administrators don't have the ability to use security questions. Billing administrator and security administrator, don´t have ability to use security questions, view ling for mozbius
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel