Selecting Authentication Methods for MFA and SSPR in Azure AD

Which Authentication Methods to Use for MFA and SSPR in Azure AD

Q: You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication(MFA) in Azure Active Directory (Azure AD).You need to select authentication mechanisms that can be used for both MFA and SSPR.Which two authentication methods should you use? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

Short Message Service (SMS) messagesAzure AD passwords

Prev Question Next Question

Question

You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication

(MFA) in Azure Active Directory (Azure AD).

You need to select authentication mechanisms that can be used for both MFA and SSPR.

Which two authentication methods should you use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers

A. Short Message Service (SMS) messages

B. Azure AD passwords

C. Email addresses

D. Security questions

E. App passwords

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

To implement self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD), you need to select authentication mechanisms that can be used for both. The correct answers are Azure AD passwords and either SMS messages or email addresses.

Azure AD passwords: Azure AD passwords are the primary authentication mechanism for Azure AD. Users can use their usernames and passwords to sign in to applications that use Azure AD for authentication. When implementing SSPR, users can reset their Azure AD passwords themselves without involving IT support.

SMS messages or email addresses: Multifactor authentication (MFA) requires two or more authentication methods. One of the authentication methods is typically a password, and the other is usually a code that the user must enter after receiving it through a separate communication channel. The two authentication methods that can be used for both MFA and SSPR are SMS messages and email addresses.

SMS messages: When using SMS messages as the second authentication factor, the user receives a text message with a one-time code. The user must enter the code to complete the sign-in process. The user can also receive an SMS message with a password reset link to reset their password.

Email addresses: When using email addresses as the second authentication factor, the user receives an email message with a one-time code or a password reset link. The user must enter the code or follow the link to complete the sign-in process or reset their password.

Security questions and app passwords are not suitable authentication mechanisms for both MFA and SSPR.

Security questions: Security questions are not recommended for authentication because users often forget their answers or provide inaccurate information. Moreover, security questions can be easily guessed or socially engineered, making them a weak authentication mechanism.

App passwords: App passwords are used to authenticate apps that do not support modern authentication protocols, such as OAuth. App passwords are not suitable for MFA because they do not provide a second authentication factor. Moreover, app passwords are not suitable for SSPR because users cannot reset app passwords themselves; IT support must generate new app passwords for users.

Prev Question Next Question