Lab 06: SSPR - Questions & Scenarios
Multiple Choice Questions
Question 1
Your organization has 500 users. You want to enable SSPR for all users except executives. What's the BEST approach?
A) Enable SSPR for "All" users, then disable it per executive
B) Create a group with all non-executive users, enable SSPR for "Selected" and choose that group
C) Enable SSPR for "All" and use Conditional Access to block executives
D) You cannot exclude specific users from SSPR
Show Answer
Answer: B
SSPR can be enabled for "None", "Selected" (specific groups), or "All" users. To exclude executives, create a security group containing all users who SHOULD have SSPR, then enable for "Selected" and choose that group. Option C won't work because CA cannot block SSPR registration itself.
Question 2
A user reports they cannot reset their password using SSPR. They see "Password reset is not enabled for your account." What should you check FIRST?
A) The user's license assignment
B) Whether the user is in an SSPR-enabled group
C) The user's authentication methods
D) The Conditional Access policies
Show Answer
Answer: B
The error message "Password reset is not enabled for your account" specifically indicates the user is NOT in an SSPR-enabled group. This is the first thing to check. License issues would show different errors, and CA policies affect access conditions, not SSPR enablement itself.
Question 3
You've configured SSPR to require 2 authentication methods. A user has registered only their mobile phone. What happens when they try to reset their password?
A) They can reset using just the phone with 2 verifications
B) They receive an error and must register another method
C) SSPR automatically falls back to 1 method
D) The admin is notified to manually reset the password
Show Answer
Answer: B
If SSPR requires 2 methods and the user has only registered 1, they cannot complete the reset. They'll receive an error indicating they need to register additional authentication methods. Each method counts as one verification.
Question 4
Which of these is NOT a valid SSPR authentication method?
A) Email
B) Security questions
C) Authenticator app notification
D) Hardware OATH token
E) Windows Hello for Business
Show Answer
Answer: E
Windows Hello for Business is NOT an SSPR authentication method. It's used for sign-in authentication (passwordless). Valid SSPR methods include: Email, Mobile phone (SMS/voice), Authenticator app notification, Authenticator app code, Security questions, Office phone, and Hardware OATH tokens.
Question 5
Your company uses Entra Connect to sync users from on-premises AD. You enable SSPR. Users report their cloud password reset doesn't work for on-premises resources. What's missing?
A) Users need P2 licenses
B) Password writeback is not enabled
C) Seamless SSO is not configured
D) Users must reset from on-premises
Show Answer
Answer: B
Password writeback must be enabled in Entra Connect for cloud password changes to sync back to on-premises AD. Without writeback, the password changes only in the cloud, causing the mismatch. P1 license is sufficient for SSPR and writeback.
Question 6
How often does Entra ID force users to re-confirm their SSPR authentication information by default?
A) Never - users must manually update
B) Every 90 days
C) Every 180 days
D) Every 365 days
Show Answer
Answer: C
By default, Entra ID asks users to re-confirm their SSPR authentication information every 180 days. This can be configured from 0 to 730 days. Setting to 0 disables re-confirmation reminders.
Question 7
Which license is required to enable SSPR for ALL users in an organization?
A) Entra ID Free
B) Entra ID P1 or higher
C) Microsoft 365 E3
D) Both B and C
Show Answer
Answer: D
SSPR for ALL users requires Entra ID P1 (or P2) OR any Microsoft 365 license that includes Entra ID P1 (E3, E5, F1, F3). Entra ID Free only allows SSPR for cloud-only administrator accounts.
Question 8
A security admin wants to prevent users from using the company name "Contoso" in their passwords. Where should they configure this?
A) SSPR settings > Authentication methods
B) Protection > Authentication methods > Password protection
C) Conditional Access > Grant controls
D) Protection > Password reset > Notifications
Show Answer
Answer: B
Custom banned passwords are configured under Protection > Authentication methods > Password protection. You can add custom terms to the banned password list, and Entra will also block common variations (like c0nt0s0).
Scenario Questions
Scenario 1: SSPR Pilot Rollout
Situation: You're implementing SSPR at a company with 1,000 users. Management wants a phased rollout starting with IT department (50 users), then expanding to all employees.
Questions:
- How would you structure the initial pilot?
- What metrics would you track during the pilot?
- How would you expand to all users after successful pilot?
Show Answer
1. Pilot Structure:
- Create security group "SSPR-Pilot-IT" with IT users
- Enable SSPR for "Selected" → choose this group
- Configure 2 methods required with: Email, Phone, Authenticator app
- Enable registration enforcement
- Set 7-day skip period (shorter for pilot monitoring)
2. Metrics to Track:
- Registration completion rate (target: 90%+ within 2 weeks)
- Successful vs. failed reset attempts
- Help desk ticket reduction for password resets
- User feedback/complaints
- Most commonly used authentication methods
3. Expansion Approach:
- Create "SSPR-All-Users" group (or use existing "All Employees" group)
- After pilot success, change SSPR to include the new group
- OR change from "Selected" to "All"
- Communicate rollout via email with self-registration instructions
- Keep monitoring metrics during expansion
Scenario 2: SSPR Not Working
Situation: User John Smith calls the help desk saying he tried to reset his password but received an error. The help desk confirms:
- John is in the SSPR-enabled group
- John has a P1 license
- SSPR is enabled for the organization
Questions:
- What are the likely causes?
- How would you troubleshoot this?
- What's the remediation?
Show Answer
1. Likely Causes:
- John never registered for SSPR (most common)
- John registered only 1 method when 2 are required
- John's registered methods are no longer valid (changed phone number, etc.)
- Conditional Access is blocking the reset attempt
- Account is blocked/disabled
2. Troubleshooting Steps:
- Check John's authentication methods in Entra admin center:
- Users > John Smith > Authentication methods
- Check SSPR audit logs for John's reset attempt
- Check Conditional Access sign-in logs for blocks
- Verify John's account status (not blocked/disabled)
- Check if John's registered phone/email are still valid
3. Remediation:
- If not registered: Admin can add methods OR give John a TAP to self-register
- If methods invalid: Delete old methods, user must re-register
- If CA blocking: Review policy, may need to exclude SSPR scenarios
- As workaround: Admin can reset password manually (temporary)
Scenario 3: Security Requirements
Situation: Your security team has these requirements for SSPR:
- Users must verify identity with 2 different methods
- Security questions alone should not be sufficient
- SMS should not be allowed for sensitive admin accounts
- Registration must happen from corporate network or compliant device
Questions:
- How would you configure SSPR to meet requirement 1 and 2?
- How would you handle requirement 3?
- How would you implement requirement 4?
Show Answer
1. Requirements 1 & 2:
- Set "Number of methods required" to 2
- Enable: Email, Mobile phone, Authenticator app notification, Authenticator app code, Security questions
- Security questions count as only 1 method regardless of how many questions answered
- User must use security questions + another method (email, phone, or app)
2. Requirement 3 (No SMS for admins):
- Create separate SSPR configuration isn't possible (SSPR is tenant-wide)
- Solution: Use Conditional Access
- Create CA policy targeting admin roles
- Require "Authentication strength" = "Passwordless MFA" or "Phishing-resistant MFA"
- This blocks SMS for admin sign-ins (including during SSPR completion)
3. Requirement 4 (Secure registration):
- Create Conditional Access policy:
- Target: User actions > "Register security information"
- Conditions: Any location EXCEPT corporate network
- Grant: Require compliant device
- Result: From outside corporate network, must use compliant device
Scenario 4: Hybrid Environment
Situation: Company has:
- 2,000 users synced from on-premises AD via Entra Connect
- 100 cloud-only users (contractors)
- On-premises applications requiring AD authentication
- Cloud applications using Entra authentication
Questions:
- What additional configuration is needed for synced users?
- What happens if a synced user resets password via SSPR?
- What happens if password writeback fails?
Show Answer
1. Additional Configuration:
- Enable Password writeback in Entra Connect
- Open Azure AD Connect wizard > Configure > Customize synchronization options
- Enable "Password writeback"
- Optionally enable "Allow users to unlock accounts without resetting password"
- Ensure Entra Connect service account has proper AD permissions to reset passwords
2. When Synced User Resets via SSPR:
- User completes SSPR in Entra ID
- New password is set in Entra ID
- Password writeback triggers via Entra Connect
- Password is written to on-premises AD
- User can now use new password for both cloud AND on-premises resources
- Password hash syncs back to Entra (normal sync, confirms match)
3. If Writeback Fails:
- Cloud password IS changed (user can access cloud resources)
- On-premises password is NOT changed (user has old password for on-prem)
- This creates password mismatch - user has 2 different passwords
- Entra Connect logs show writeback error
- User may need to reset password on-premises OR retry cloud SSPR
- Admin may need to check Entra Connect connectivity and permissions
True/False Questions
Question 1
True or False: Users can use SSPR to reset their password even if their account is disabled.
Show Answer
False
Disabled accounts cannot use SSPR. The user must contact an administrator to enable their account first, then they can use SSPR if needed.
Question 2
True or False: Security questions alone can be used to reset a password if the admin configures "Number of methods required" to 1.
Show Answer
True
If only 1 method is required and security questions are enabled, users CAN reset using only security questions. However, this is NOT recommended as security questions are the weakest method. Microsoft recommends requiring 2 methods.
Question 3
True or False: SSPR registration and MFA registration are completely separate processes that must be done independently.
Show Answer
False
Since the combined registration experience rollout, MFA and SSPR registration are merged into a single "Security info" experience. Users register their authentication methods once, and those methods can be used for both MFA and SSPR (where applicable).
Question 4
True or False: Entra ID P2 license is required for password writeback functionality.
Show Answer
False
Password writeback is available with Entra ID P1 license (or any license that includes P1 features like M365 E3). P2 is NOT required for basic SSPR or writeback.
Fill in the Blank
Question 1
The default number of days before users are asked to re-confirm their SSPR authentication information is __________ days.
Show Answer
180 days
Question 2
To configure SSPR for a subset of users (not all), you set "Self service password reset enabled" to __________.
Show Answer
Selected
Options are: None, Selected, All
Question 3
The URL where users can register their SSPR authentication methods is __________.
Question 4
The URL where users go to reset their password via SSPR is __________.
Show Answer
https://aka.ms/sspr (or https://passwordreset.microsoftonline.com)