Technical Lab: Configure self-service password reset (SSPR)
Questionsβ
Question 1 β Multiple Choiceβ
An organization enabled SSPR in Microsoft Entra ID for a specific group of users. After deployment, the support team reports that some users can reset their passwords normally, but others in the same group receive errors when attempting to do so. Upon investigation, you discover that the affected users have not completed the authentication methods registration process.
What is the default SSPR behavior when a user attempts to reset their password without having authentication methods registered?
A) SSPR automatically uses the corporate email registered in the Microsoft Entra ID profile as a fallback.
B) SSPR blocks the reset and requires the administrator to manually reset the password.
C) SSPR redirects the user to the registration portal before allowing the reset.
D) SSPR allows the reset through validation with just one automatically generated security question.
Question 2 β Technical Scenarioβ
An administrator configured SSPR with the following policy:
Number of methods required for reset: 2
Enabled methods:
- Code sent by email
- Code sent by SMS
- Authenticator app (notification)
- Security questions (5 questions, 3 correct answers required)
A user registered only security questions and alternate email. They attempt to reset their password outside business hours without access to their mobile phone. The reset is successful.
What explains this result?
A) SSPR ignored the two-method requirement because the user is a member of a privileged security group.
B) The user utilized the two available registered methods (email and security questions), satisfying the two-method policy.
C) SSPR automatically reduced the requirement to one method outside business hours to avoid productivity blocking.
D) The corporate email was used as an automatic second factor without requiring prior registration.
Question 3 β True or Falseβ
In Microsoft Entra ID, when password writeback is enabled via Microsoft Entra Connect, the password reset by SSPR is written directly to the on-premises Active Directory in real-time, without queue mediation or separately installed additional agents.
True or False?
Question 4 β Technical Scenarioβ
A company is migrating to Microsoft Entra ID in hybrid mode. The administrator needs to ensure that users synchronized from on-premises Active Directory can also use SSPR to change their passwords, with the change immediately reflected in the local environment.
The administrator enables SSPR in the Microsoft Entra ID portal and tests with a synchronized user. The reset occurs successfully in the portal, but when trying to log into the local workstation with the new password, the login fails.
What is the most likely cause?
A) SSPR is not compatible with synchronized accounts; it only works for native Microsoft Entra ID accounts.
B) Password writeback is not enabled in Microsoft Entra Connect, so the new password was not propagated to the on-premises Active Directory.
C) The synchronized user cannot use SSPR while password hash synchronization is not active.
D) The user's local account is locked in Active Directory, preventing writeback reception.
Question 5 β Multiple Choiceβ
When configuring SSPR in Microsoft Entra ID, the administrator defines that security questions are an allowed method. Regarding the use of this method, which statement correctly describes a documented technical limitation?
A) Security questions can be used as the sole required method, provided the number of configured questions is equal to or greater than five.
B) Security questions cannot be used as a password reset method for accounts with administrative roles in Microsoft Entra ID.
C) Security questions are automatically blocked if the user has Microsoft Authenticator registered.
D) Security questions require the global administrator to approve the question bank before they become available to users.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
SSPR does not have automatic fallback to profile data that has not been explicitly registered as an authentication method. When a user has not completed registration, the reset is blocked and the flow ends with an error, requiring administrator intervention for manual reset. Alternative C describes the behavior of Combined Registration during onboarding, which may request registration, but this does not occur automatically during a production reset attempt. Alternatives A and D represent behaviors that simply do not exist in the SSPR implementation: there is no fallback to profile email and no automatic generation of security questions.
Answer Key β Question 2β
Answer: B
The policy requires two methods, and the user registered exactly two: alternate email and security questions. Both are enabled in the policy and were properly registered, therefore the requirement is satisfied without any exception. The conceptual error represented by distractors A and C is assuming that SSPR has contextual logic based on time or group privileges, which does not exist. Distractor D reinforces the common misconception that the corporate email from the Entra ID profile is automatically leveraged as a method, when in fact only the alternate email registered by the user themselves counts as an SSPR authentication method.
Answer Key β Question 3β
Answer: False
Password writeback is not a process without intermediation. It depends on the Microsoft Entra Connect agent installed in the on-premises environment, which acts as a bridge between Entra ID and Active Directory. Communication occurs through a secure message queue via Azure Service Bus, which means there is indeed a separate agent component and an asynchronous communication channel involved. While the process is perceived as "real-time" from the user's perspective (seconds latency), stating that it occurs "without agent intermediation" is technically incorrect. Understanding this architecture is essential for diagnosing writeback failures in hybrid environments.
Answer Key β Question 4β
Answer: B
In a hybrid environment, SSPR changes the password in the cloud (Microsoft Entra ID), but for this change to propagate to on-premises Active Directory, password writeback needs to be explicitly enabled in Microsoft Entra Connect settings. Without it, the local password remains unchanged, exactly the symptom described. Alternative A is incorrect because SSPR is compatible with synchronized accounts when writeback is active. Alternative C confuses password hash synchronization with writeback: these are distinct features with opposite directions. Alternative D could be a legitimate cause of failure in real scenarios, but does not explain the described behavior, where the reset was successful in the portal and writeback simply did not occur.
Answer Key β Question 5β
Answer: B
Microsoft explicitly documents that security questions cannot be used by accounts that have administrative roles in Microsoft Entra ID. This method is considered less secure and is excluded from the reset flow for administrators, regardless of policy configuration. This is a system limitation, not an optional configuration. Alternative A is incorrect because the number of questions does not eliminate the requirement for multiple methods when the policy so defines. Alternative C has no technical foundation; the presence of Microsoft Authenticator does not block other methods. Alternative D describes an approval process that simply does not exist in the platform.