Exam AZ-104 topic 6 question 12 discussion

By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-password-policy-differences Therefore I would say N N Y as SecAdmin1 and BillAdmin1 are both administrators. NOTE: I have tried to test in lab but was unsuccessful (somehow SSPR isn't even recognized as being enabled, hell one of the user is taking forever to show an updated assigned role).

So after some research it does look like "Security questions aren't used as an authentication method during a sign-in event. Instead, security questions can be used during the self-service password reset (SSPR) process to confirm who you are. Administrator accounts can't use security questions as verification method with SSPR." so it means the administrator cannot use security questions as verification method for SSPR. so it would be N N Y . check the link the first line of the link. PLEASE LIKE THIS COMMENT Ref https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions

Answer is No/No/Yes https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#security-questions-restriction By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you defined for your users, and this policy can't be changed. The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and ***it prohibits security questions***. A two-gate policy applies in the following circumstances: Billing Administrator Global Administrator Security Administrator

WRONG No No Yes

NNY Refer to Microsoft article: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-password-policy-differences

Number of methods required to reset the password is 2. N N N

No No Yes

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#administrator-password-policy-differences >>> The two-gate policy requires two pieces of authentication data, such as an email address, authenticator app, or a phone number, and it prohibits security questions. Office and mobile voice calls are also prohibited for trial or free versions of Microsoft Entra ID. A two-gate policy applies in the following circumstances: All the following Azure administrator roles are affected: Application administrator Application proxy service administrator Authentication administrator Billing administrator ...... Security administrator

This was on my exam. I think the correct answer is provided by Mozbius.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment NYY

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences NNY

N N Y is correct!

How can you have this question wrong?

Number of security questions required to reset password is 3. My opinion is that user can also not self reset the password by answering just one question. So the Answer should be N, N, N

NNY is the answer. https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences By default, administrator accounts are enabled for self-service password reset, and a strong default two-gate password reset policy is enforced. This policy may be different from the one you have defined for your users, and this policy can't be changed. You should always test password reset functionality as a user without any Azure administrator roles assigned. With a two-gate policy, administrators don't have the ability to use security questions. All the following Azure administrator roles are affected: - Billing administrator - Security administrator

N N Y "Administrator accounts can't use security questions as verification method with SSPR." https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-security-questions

NNY https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#administrator-reset-policy-differences This link shows the list of administrators that arre not able to use security questions.