This chapter covers Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) administration in Microsoft 365, a critical area for the MS-102 exam. These technologies are fundamental to identity security and are tested in approximately 10-15% of exam questions, primarily under objective 2.5. You will learn how to configure, enforce, and troubleshoot MFA and SSPR, including authentication methods, registration campaigns, combined registration, and conditional access integration. The chapter provides the depth needed to answer scenario-based questions and implement these features in production.
Jump to a section
Think of a bank vault with a two-factor authentication lock: you need both a key (something you have) and a PIN (something you know). The vault represents your Microsoft 365 tenant. The key is your smartphone with the authenticator app, and the PIN is your password. Even if someone steals your key (password), they cannot open the vault without the PIN (second factor). Now, imagine you lose your key entirely. SSPR is like having a spare key stored in a secure drop box that you can access by verifying your identity through alternative methods: your mother's maiden name (security questions), a code sent to your backup phone (another something you have), or a text to your alternate email. The bank's system (Azure AD) manages both the primary lock (MFA) and the spare key retrieval (SSPR) through a unified policy, ensuring that only you can get the spare key, and only after proving you are who you say you are via a separate set of credentials. This prevents attackers from simply walking up to the bank and claiming they lost their key to get a new one.
What is MFA and Why It Exists
Multi-Factor Authentication (MFA) is a security mechanism that requires users to present two or more verification factors to gain access to a resource. The factors fall into three categories: something you know (password), something you have (phone, hardware token), and something you are (biometric). MFA drastically reduces the risk of credential theft because an attacker must compromise multiple factors. In Microsoft 365, MFA is enforced via Conditional Access policies or per-user MFA configuration.
How MFA Works Internally
When a user signs in, Azure AD evaluates the authentication request. If the user is subject to an MFA requirement (via Conditional Access or per-user MFA), Azure AD issues a challenge. The user must complete the second factor within a specified time window (default 10 minutes). The authentication flow: 1. User provides primary credentials (username/password). 2. Azure AD validates the credentials and checks if MFA is required. 3. If required, Azure AD sends a challenge to the user's registered authentication methods (e.g., push notification to Microsoft Authenticator). 4. The user approves the sign-in request (e.g., tap approve on phone). 5. Azure AD completes the authentication and issues tokens.
Authentication Methods
Azure AD supports multiple authentication methods for MFA and SSPR: - Microsoft Authenticator app: Push notification or OTP (one-time passcode). - SMS: Text message with a 6-digit code. - Voice call: Automated call with a code. - OATH hardware tokens: TOTP tokens (e.g., RSA SecurID). - FIDO2 security keys: Passwordless authentication. - Windows Hello for Business: Biometric or PIN. - Certificate-based authentication: Smart cards.
Each method has a default timeout or retry limit. For example, SMS codes expire after 5 minutes, and the user has 3 attempts to enter the correct code before being locked out for 30 seconds.
SSPR: Self-Service Password Reset
SSPR allows users to reset their own passwords without administrator intervention, reducing helpdesk tickets. SSPR requires users to register authentication methods before they can reset. The registration can be enforced via a registration campaign or manually. When a user initiates a password reset, they must prove their identity by providing a specified number of authentication methods (e.g., two methods). The reset process: 1. User navigates to the SSPR portal (https://passwordreset.microsoftonline.com). 2. User enters their username and completes a CAPTCHA. 3. User answers security questions or provides codes from registered methods. 4. Azure AD verifies the identity. 5. User sets a new password, which must meet the tenant's password policy.
Combined Registration
Microsoft recommends using combined registration for MFA and SSPR, which allows users to register authentication methods once for both services. This is configured in Azure AD > User settings > Combined registration. When enabled, users see a single registration experience at https://aka.ms/mfasetup.
Registration Campaigns
Registration campaigns are a feature that nags users to register for MFA and SSPR. Administrators can configure the campaign to target users who are required to use MFA but haven't registered. The campaign sends reminders via email and in the Microsoft 365 admin center. This is configured in Azure AD > Security > Authentication methods > Registration campaign.
Conditional Access Integration
MFA is typically enforced via Conditional Access policies. For example, a policy can require MFA for all users when accessing cloud apps from untrusted locations. The policy evaluates signals such as user, location, device, and application. If the policy requires MFA, Azure AD challenges the user. Conditional Access policies can also require a specific authentication method (e.g., require Microsoft Authenticator).
Per-User MFA
Per-user MFA is a legacy configuration that can be enabled for individual users. When enabled, the user is required to use MFA every time they sign in, regardless of location or device. This is less flexible than Conditional Access and is not recommended for new deployments. To enable per-user MFA, go to Azure AD > Users > Per-user MFA. Note that per-user MFA overrides Conditional Access policies if both are configured.
Security Defaults
Security Defaults is a baseline security policy for tenants created after October 2019. It enforces MFA for all users, blocks legacy authentication, and requires administrators to use MFA. Security Defaults can be disabled if you use Conditional Access. It is a good starting point for small organizations.
Timeouts and Lockout
MFA session timeout: Controlled by Conditional Access session controls. Default is 0 (session persists until browser is closed).
SSPR lockout: After 5 failed attempts to reset password, the user is locked out for 5 minutes.
SMS code expiry: 5 minutes.
Authenticator notification timeout: The notification expires after 2 minutes.
Verification Commands
To check MFA registration status for a user:
Get-MgUser -UserId user@domain.com -Property Id, StrongAuthenticationRequirements | Select-Object -ExpandProperty StrongAuthenticationMethodsTo check SSPR status:
Get-MgUser -UserId user@domain.com -Property Id, PasswordPolicies | Select-Object -ExpandProperty PasswordPoliciesTo enable per-user MFA:
$user = Get-MsolUser -UserPrincipalName user@domain.com
$user.StrongAuthenticationRequirements.Add(@{RelyingParty = "*"})
Set-MsolUser -UserPrincipalName user@domain.com -StrongAuthenticationRequirements $user.StrongAuthenticationRequirementsInterplay with Password Protection
Azure AD Password Protection blocks weak passwords and common variations. When a user resets their password via SSPR, the new password is checked against the banned password list. If the password is weak, the reset fails. This is configured in Azure AD > Security > Authentication methods > Password protection.
Licensing
MFA is available with all Microsoft 365 licenses, but some features require premium licenses: - Azure AD Free: MFA via Security Defaults or per-user MFA (limited methods). - Azure AD Premium P1: Conditional Access policies for MFA, SSPR with cloud-only users. - Azure AD Premium P2: Risk-based Conditional Access, Identity Protection, and SSPR with writeback for on-premises users.
SSPR requires Azure AD Premium P1 or P2 for on-premises password writeback. Cloud-only SSPR is available with P1.
Common Misconfigurations
Not enabling combined registration: Users have to register twice.
Not blocking legacy authentication: Attackers can bypass MFA using legacy protocols.
Incorrect SSPR scope: Setting SSPR to 'None' or 'Selected' instead of 'All'.
Not configuring password writeback: On-premises users cannot reset their passwords.
Configure MFA via Conditional Access
Navigate to Azure AD > Security > Conditional Access > New policy. Name the policy (e.g., 'Require MFA for All Users'). Under Assignments, select 'All users' (or specific groups). Under Cloud apps or actions, select 'All cloud apps'. Under Conditions, you can configure locations (e.g., exclude trusted IPs). Under Access controls, select 'Grant' and check 'Require multi-factor authentication'. Enable the policy and set it to 'On'. This policy will evaluate every sign-in and challenge users who meet the conditions.
Enable Combined Registration
Go to Azure AD > User settings > Combined registration. Set 'Users can use the combined registration experience' to 'Yes'. Optionally, choose which users are included (e.g., 'All users' or selected groups). This allows users to register authentication methods for both MFA and SSPR in one flow at https://aka.ms/mfasetup. The registration experience includes setting up methods like Microsoft Authenticator, phone, email, and security questions.
Configure SSPR Settings
In Azure AD > Password reset, configure the following: Under Properties, set 'Self-service password reset enabled' to 'All' (or 'Selected' for pilot). Under Authentication methods, select the number of methods required to reset (default: 2). Choose which methods are available (e.g., email, mobile phone, security questions). Under Registration, set 'Require users to register when signing in' to 'Yes' and set the number of days before re-registration (default: 180). Under Notifications, configure email notifications to users and admins.
Enable Registration Campaign
Go to Azure AD > Security > Authentication methods > Registration campaign. Set 'State' to 'Enabled'. Choose 'Targeted users' or 'All users'. The campaign will send up to 3 reminders to users who are required to register but haven't. The reminders appear in the Microsoft 365 admin center and via email. This is useful to drive adoption of MFA and SSPR registration.
Test MFA and SSPR Flow
As a test user, sign in to https://portal.office.com. If MFA is required, you will be prompted to set up a method (if not registered) or approve a notification. After sign-in, navigate to https://passwordreset.microsoftonline.com to test SSPR. Enter your username, complete CAPTCHA, and follow the prompts to reset your password using registered methods. Verify that the new password works. Check audit logs in Azure AD > Security > Audit logs to see successful and failed attempts.
Enterprise Scenario 1: Enforcing MFA for All Users
A multinational company with 50,000 users needs to enforce MFA for all cloud app access. The solution is to create a Conditional Access policy targeting all users and all cloud apps, requiring MFA. They exclude a group of service accounts that use modern authentication (e.g., Microsoft Authenticator for service accounts). They also configure trusted IPs for corporate offices to reduce MFA prompts. The policy includes a session control to require re-authentication every 24 hours. Once deployed, the helpdesk sees a 60% reduction in account compromise incidents. The biggest challenge is user adoption; they use registration campaigns and training to ensure users register their methods. Performance is not an issue because Azure AD handles the authentication flow.
Enterprise Scenario 2: SSPR with Password Writeback
A hybrid organization with on-premises Active Directory wants users to reset their own passwords. They enable SSPR for all users and configure password writeback to sync new passwords to on-premises AD via Azure AD Connect. They require two authentication methods (mobile phone and email). They also enable combined registration. The SSPR portal is customized with the company logo. After deployment, helpdesk calls drop by 40%. A common misconfiguration is not setting the correct permissions for the Azure AD Connect service account to write passwords back. They monitor the writeback via the Azure AD Connect health dashboard.
Enterprise Scenario 3: Risk-Based MFA with Identity Protection
A financial services firm uses Azure AD Premium P2 to implement risk-based MFA. They configure Conditional Access policies that require MFA when sign-in risk is medium or above, and require password change when user risk is high. They use Identity Protection to detect leaked credentials and anonymous IP addresses. This minimizes friction for low-risk sign-ins while protecting high-risk ones. The challenge is tuning the risk thresholds to balance security and user experience. They set sign-in risk policy to require MFA for medium and above, and user risk policy to block or force password change for high risk. They also set up alerts for risky users.
MS-102 Exam Focus on MFA and SSPR (Objective 2.5)
The exam tests your ability to configure and manage MFA and SSPR in Microsoft 365. Key areas: - Configure authentication methods: Know the supported methods and their order of precedence (Microsoft Authenticator, SMS, voice call, etc.). - Combined registration: Understand that it unifies MFA and SSPR registration. - Registration campaigns: Know that they nudge users to register and can be targeted. - Conditional Access vs per-user MFA: The exam emphasizes using Conditional Access over per-user MFA. Per-user MFA is legacy and overrides Conditional Access. - SSPR settings: Know the default number of methods required for reset (2), registration grace period (180 days), and lockout thresholds (5 attempts, 5 minutes). - Password writeback: Required for on-premises users; requires Azure AD Premium P1 or P2. - Security Defaults: Know that it is a baseline that enables MFA for all users and blocks legacy authentication.
Common Wrong Answers
Choosing per-user MFA when Conditional Access is better: Candidates think per-user MFA is simpler, but the exam expects you to choose Conditional Access for granular control.
Enabling SSPR without combined registration: The exam expects you to enable combined registration to simplify user experience.
Not configuring password writeback for hybrid users: Candidates assume SSPR works for all users, but on-premises users need writeback.
Setting SSPR to 'None' instead of 'All': The question may ask for self-service password reset for all users; 'None' is a trap.
Specific Numbers and Values
Default MFA session timeout: 0 (until browser closed) unless configured.
SSPR lockout: 5 failed attempts, 5-minute lockout.
SMS code expiry: 5 minutes.
Registration campaign reminders: up to 3.
Number of methods required for SSPR: default 2.
Edge Cases
Blocking legacy authentication: Always recommended to prevent MFA bypass.
Service accounts: Exclude from MFA policies if they use modern auth; otherwise, use Conditional Access with device compliance.
Guest users: MFA policies apply to guests if included in scope.
How to Eliminate Wrong Answers
Understand the mechanism: MFA challenges are issued after primary authentication. If a policy requires MFA, the user must complete it before receiving tokens. SSPR uses a separate portal. If an answer suggests that SSPR can be used to reset MFA methods, it is wrong (MFA methods are managed via combined registration). Always check if the scenario involves on-premises users — if yes, password writeback is needed.
MFA requires two or more factors: something you know, have, or are.
Conditional Access is the preferred method to enforce MFA, not per-user MFA.
Combined registration simplifies user experience for MFA and SSPR.
SSPR for on-premises users requires password writeback via Azure AD Connect.
Security Defaults provide baseline security but can be disabled if using Conditional Access.
Registration campaigns send up to 3 reminders to nudge users to register.
Block legacy authentication to prevent MFA bypass.
Default SSPR lockout: 5 failed attempts, 5-minute lockout.
Authentication methods have precedence: Microsoft Authenticator is recommended.
Azure AD Premium P1 or P2 required for Conditional Access and SSPR writeback.
These come up on the exam all the time. Here's how to tell them apart.
Per-User MFA
Legacy configuration enabled per user.
Forces MFA on every sign-in regardless of context.
No conditions or exceptions (except trusted IPs).
Overrides Conditional Access if both are enabled.
Limited to basic authentication methods.
Conditional Access MFA
Modern, policy-based configuration.
Can require MFA based on user, location, device, app, risk.
Supports session controls (e.g., re-authentication frequency).
Can exclude specific users or scenarios.
Integrates with Identity Protection for risk-based MFA.
Mistake
MFA and SSPR require separate registrations.
Correct
Combined registration allows users to register once for both MFA and SSPR. This is the recommended configuration in Azure AD.
Mistake
Per-user MFA is the same as Conditional Access MFA.
Correct
Per-user MFA is a legacy setting that forces MFA on every sign-in for specific users. Conditional Access provides granular control based on conditions like location, device, and risk.
Mistake
SSPR works for on-premises users without any additional configuration.
Correct
For on-premises users, SSPR requires password writeback enabled via Azure AD Connect. Without writeback, the password reset only applies to cloud accounts.
Mistake
Security Defaults cannot be disabled.
Correct
Security Defaults can be disabled in Azure AD > Properties. However, disabling them requires you to implement equivalent security via Conditional Access.
Mistake
Registration campaigns force users to register immediately.
Correct
Registration campaigns send reminders (up to 3) but do not block sign-in. Users can postpone registration. To enforce registration, use Conditional Access with a policy that requires registration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Per-user MFA is a legacy setting that forces a user to use MFA every time they sign in, with no conditions. Conditional Access MFA is policy-based and can require MFA based on user, location, device, application, or risk. Conditional Access is more flexible and is the recommended approach. Per-user MFA overrides Conditional Access if both are configured for the same user. For the exam, always choose Conditional Access unless the question explicitly mentions per-user.
SSPR for cloud-only users is available with Azure AD Free (via Security Defaults) or any paid license. However, SSPR with password writeback for on-premises users requires Azure AD Premium P1 or P2. Additionally, Conditional Access policies for MFA require P1. The exam often tests this licensing distinction.
Create a Conditional Access policy targeting 'All users' but exclude the break-glass accounts (emergency access accounts). Set the policy to require MFA for all cloud apps. Ensure break-glass accounts are excluded from the policy and have strong passwords and no MFA to avoid lockout. Also, exclude them from any other policies that might block access.
After 5 failed attempts to reset the password, the user is locked out for 5 minutes. During this time, they cannot attempt another reset. The lockout applies per user. This is a default setting that can be changed via PowerShell (Set-MsolPasswordResetPolicy). The exam may ask about the default lockout threshold.
Yes, with Azure AD Premium P2 and Identity Protection. You can create a Conditional Access policy that requires MFA when sign-in risk is medium or high. This reduces friction for low-risk sign-ins. The exam may present a scenario where you need to implement risk-based MFA, and you must know that it requires P2 licensing.
Combined registration allows users to register authentication methods once for both MFA and SSPR. Without it, users would have to register separately for each service. It is enabled in Azure AD > User settings. The exam expects you to enable combined registration to improve user experience. The registration URL is https://aka.ms/mfasetup.
Create a Conditional Access policy that blocks access for legacy authentication clients. Under Conditions > Client apps, check 'Exchange ActiveSync clients' and 'Other clients' (which includes legacy protocols). Set the grant control to 'Block access'. This ensures that only modern authentication clients (which can enforce MFA) can access resources.
You've just covered MFA and SSPR Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?