This chapter covers two critical components of Azure AD identity management: Microsoft Authenticator for multi-factor authentication (MFA) and Self-Service Password Reset (SSPR). These features directly support security and usability, and are heavily tested on the SC-900 exam, appearing in roughly 15-20% of questions on Identity and Access Management. You will learn how Authenticator works, how SSPR enables secure password recovery, and how both integrate with Azure AD to enforce strong authentication and reduce help desk workload. Mastering these topics is essential for passing the SC-900 and understanding real-world identity protection.
Jump to a section
Imagine a secure office building with a strict bouncer at the front desk (Microsoft Authenticator). Every employee has a badge (password), but the bouncer also requires a second check: a one-time code sent to their personal phone. The bouncer verifies the code before granting access. This is Microsoft Authenticator generating time-based one-time passwords (TOTP) or push notifications for multi-factor authentication.
Now, suppose an employee forgets their badge (password). They can't get in without proving identity another way. The building has a spare key system (SSPR). The employee goes to a self-service kiosk, answers pre-registered security questions (like 'What was your first pet's name?'), verifies via a secondary email, and then gets a temporary badge (reset password) to enter. The bouncer logs the entire process and reports to security (Azure AD logs). The spare key system works only if the employee has pre-registered their verification methods. Without registration, they're locked out and must call the building manager (help desk). This analogy shows how Authenticator provides strong second-factor verification, while SSPR allows users to recover from password loss without admin intervention, reducing help desk calls.
What is Microsoft Authenticator?
Microsoft Authenticator is a mobile application that provides an additional layer of security for Azure AD sign-ins. It is a form of multi-factor authentication (MFA) that requires something you know (password) plus something you have (the app on your phone). The app supports two primary methods: time-based one-time passwords (TOTP) and push notifications. TOTP generates a six-digit code that changes every 30 seconds based on a shared secret and the current time (RFC 6238). Push notifications send a prompt to the user's phone asking them to approve or deny the sign-in attempt, including details like location and device.
How Authenticator Works Internally
When a user registers Microsoft Authenticator, Azure AD generates a shared secret (a key) that is stored in the app and in Azure AD. For TOTP, this secret is combined with the current time (in 30-second intervals) using a cryptographic hash to produce a six-digit code. The server performs the same calculation; if the codes match, the user is authenticated. For push notifications, Azure AD sends a notification to the app via the Microsoft Notification Service (MNS) or Apple Push Notification Service (APNs) for iOS. The app displays sign-in details, and the user's approval sends a signed response back to Azure AD, verifying the user's identity. The app also supports phone sign-in (passwordless) where the user enters a number on the sign-in screen and then approves the notification, eliminating the need for a password.
Key Components, Values, Defaults, and Timers
TOTP Code Validity: Each code is valid for 30 seconds. If the code is not used within that window, it expires and a new one is generated.
Push Notification Timeout: If the user does not respond to a push notification within 30 seconds, the request times out and the sign-in fails.
Registration: Users can register up to 5 Authenticator apps on a single account. Each app has its own shared secret.
Passwordless Phone Sign-in: This feature must be enabled by the tenant administrator via the Azure AD admin center under "Authentication methods" > "Microsoft Authenticator".
Security Defaults: If security defaults are enabled, Microsoft Authenticator is automatically required for all users when using MFA.
Conditional Access: Administrators can require Authenticator for specific users, groups, or applications via Conditional Access policies.
What is Self-Service Password Reset (SSPR)?
SSPR allows users to reset their own passwords without contacting a help desk. It reduces IT support costs and improves user productivity. SSPR requires Azure AD Premium P1 or P2 licensing. The feature must be enabled and configured by an administrator. Users must register their authentication methods before they can use SSPR.
How SSPR Works Internally
When a user attempts to reset their password, they go to the SSPR portal (https://passwordreset.microsoftonline.com). They enter their username and complete a CAPTCHA. Then they must verify their identity by providing information from pre-registered authentication methods. Common methods include: - Email: A one-time code sent to an alternate email address. - Mobile Phone: A phone call or SMS with a verification code. - Office Phone: A phone call with a verification code. - Security Questions: Pre-defined questions (e.g., "What is your favorite color?"). - Mobile App Notification: A push notification via Microsoft Authenticator. - Mobile App Code: A TOTP code from Microsoft Authenticator.
The user must complete the number of verification steps required by the administrator (typically 1 or 2). Once verified, the user can set a new password that meets the tenant's password policy. The new password is then synchronized to on-premises Active Directory if password hash synchronization or pass-through authentication is configured.
Key SSPR Configuration Values and Defaults
Number of methods required: Default is 2. Can be set to 1 or 2.
Number of methods available to users: Default is 2. Users must register at least this many methods.
Registration: Users must register their methods before first use. Administrators can enforce registration via the "Registration campaign" feature in Azure AD.
Password writeback: To enable on-premises password synchronization, password writeback must be enabled in Azure AD Connect.
Lockout: SSPR has a built-in lockout feature: if a user attempts to reset too many times in a short period (default: 10 attempts in 30 minutes), they are locked out for 24 hours.
Administrator reset: Administrators cannot use SSPR to reset their own passwords if they have the "Global Administrator" role. They must use a different method.
How Authenticator and SSPR Interact with Related Technologies
Azure AD Identity Protection: Can detect risky sign-ins and require MFA via Authenticator. Also can trigger password reset for high-risk users.
Conditional Access: Can enforce MFA with Authenticator for specific conditions, and can block sign-ins if MFA is not performed.
Azure AD Connect: Password writeback synchronizes new passwords from Azure AD to on-premises AD, enabling SSPR to work for hybrid environments.
Microsoft Graph: Administrators can configure and monitor SSPR and Authenticator settings via Graph API.
Security Defaults: When enabled, automatically requires MFA registration and SSPR for all users.
Configuration and Verification Commands
To configure SSPR via PowerShell:
# Connect to Azure AD
Connect-AzureAD
# Enable SSPR for all users
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Password Reset"}).Id -Values @{EnablePasswordReset="True"}
# Set number of methods required
Set-AzureADDirectorySetting -Id (Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Password Reset"}).Id -Values @{NumberOfQuestionsRequiredToReset="2"}To check SSPR status:
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq "Password Reset"}To enable Authenticator for MFA via Graph:
# Requires Microsoft.Graph module
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationMethod"
New-MgPolicyAuthenticationMethodPolicy -Id MicrosoftAuthenticator -State enabledDetailed Mechanism of Authenticator Push Notification
User attempts to sign in with username and password.
Azure AD evaluates Conditional Access policies and determines MFA is required.
Azure AD sends a push notification to the Microsoft Authenticator app on the registered device via MNS/APNs.
The app displays: sign-in location, application name, and timestamp.
User approves or denies. Approval generates a signed token using the app's private key.
The token is sent to Azure AD, which verifies the signature using the public key stored during registration.
If valid, Azure AD issues an access token and the user is signed in.
SSPR Detailed Flow
User navigates to password reset portal and enters username.
CAPTCHA verification.
User selects verification method (e.g., email).
Azure AD sends a one-time code to the registered email.
User enters the code.
If correct, user is prompted to create a new password.
New password must meet complexity and length requirements (default: 8 characters, requires 3 of 4: uppercase, lowercase, number, symbol).
Password is hashed and stored in Azure AD. If password writeback is enabled, it is also written to on-premises AD.
User can now sign in with the new password.
Register Microsoft Authenticator
The user signs into Azure AD (e.g., via https://myapps.microsoft.com) and navigates to Security Info. They select "Add method" and choose "Microsoft Authenticator". A QR code appears. The user opens the Authenticator app, selects "Add account" (work or school), and scans the QR code. The app generates a shared secret and sends a confirmation to Azure AD. The registration is complete, and the app begins generating TOTP codes. This step is critical because without registration, the user cannot use Authenticator for MFA or passwordless sign-in.
User signs in with MFA
The user enters their username and password on a Microsoft sign-in page (e.g., portal.office.com). Azure AD validates the password and checks Conditional Access policies. If MFA is required, Azure AD sends a push notification to the Authenticator app. The app displays the sign-in details (e.g., location, app). The user approves by tapping "Approve" or entering the number shown on the screen. The app sends a signed response to Azure AD. If the signature is valid, Azure AD issues an access token. The entire process takes about 2-5 seconds.
User forgets password – SSPR initiated
On the sign-in page, the user clicks "Forgot my password". They are redirected to https://passwordreset.microsoftonline.com. They enter their username and complete the CAPTCHA. Azure AD checks if SSPR is enabled for the user. If yes, the user is prompted to verify their identity using pre-registered methods. The user selects, for example, "Email my alternate email" and receives a one-time code. They enter the code. Azure AD verifies it and allows the user to proceed to password reset.
Reset password via SSPR
After successful verification, the user is prompted to create a new password. The password must meet the tenant's password policy (e.g., minimum length, complexity). The user enters the new password twice. Azure AD hashes the password and stores it. If password writeback is enabled via Azure AD Connect, the password is also written to on-premises Active Directory. The user is then notified that the password has been reset and can sign in immediately.
Admin configures SSPR policies
A global administrator navigates to the Azure AD admin center > Password reset > Properties. They enable SSPR for a selected group or all users. Under "Authentication methods", they set the number of methods required (default 2). They also configure registration requirements (e.g., require users to register upon next sign-in). The admin can also enable password writeback under "On-premises integration". These settings are stored as directory settings and can be verified via PowerShell or Graph API.
In a large enterprise with 50,000 employees, deploying Microsoft Authenticator for MFA reduces phishing risks significantly. The company configures Conditional Access to require Authenticator for all cloud app access. Users are guided through a registration campaign via email. The IT help desk sees a 90% reduction in account compromise tickets. However, some users lose their phones. The company enables SSPR with two methods: mobile app notification and alternate email. Users can reset their password from home without calling the help desk. The help desk now handles only 5% of previous password reset calls.
Another scenario: A hybrid organization with on-premises Active Directory uses password writeback. They enable SSPR for all users. When a user resets their password via SSPR, it syncs back to on-prem AD within 30 seconds. This allows the user to access on-premises resources like file shares with the same password. The IT team monitors SSPR usage via Azure AD logs, looking for unusual reset patterns that might indicate compromise.
A common misconfiguration: An admin sets the number of methods required to 1, thinking it's simpler. This weakens security because if a user loses access to that single method (e.g., phone), they cannot reset. Best practice is to require 2 methods. Another issue: users fail to register their methods. The admin must enforce registration via the "Registration campaign" or by making SSPR mandatory. Without registration, users are locked out and must call the help desk, defeating the purpose of SSPR.
Performance considerations: For Authenticator push notifications, the latency depends on the notification service (MNS/APNs). Typically under 2 seconds. For TOTP, no network latency is involved after the initial sync. SSPR is processed entirely in Azure AD; the only delay is the email or SMS delivery, which can take up to 5 minutes in rare cases. The system scales automatically to millions of users.
The SC-900 exam tests your understanding of Microsoft Authenticator and SSPR under objective 2.2: "Describe the capabilities of Microsoft Entra ID." Specifically, you need to know:
- The role of Microsoft Authenticator in MFA and passwordless authentication. - The difference between TOTP and push notifications. - SSPR features: self-service password reset, account unlock, and password writeback. - Licensing requirements: SSPR requires Azure AD Premium P1 or P2. - Common exam traps: 1. "SSPR can reset passwords for on-premises accounts without any additional configuration." WRONG – you need password writeback via Azure AD Connect. 2. "Microsoft Authenticator is only for MFA." WRONG – it also supports passwordless phone sign-in. 3. "SSPR is available in Azure AD Free." WRONG – only cloud users can reset passwords with Free, but for on-premises writeback, Premium is needed. 4. "Users can use any authentication method for SSPR." WRONG – only methods pre-registered by the user are allowed. - Key numbers: TOTP code changes every 30 seconds; push notification timeout is 30 seconds; SSPR lockout after 10 attempts in 30 minutes; password writeback syncs within 30 seconds. - Exam loves to ask: "Which method requires the user to have a mobile device?" Answer: Microsoft Authenticator (both push and TOTP require a smartphone). - How to eliminate wrong answers: If the question mentions "help desk reduction" or "self-service password reset", the answer is SSPR. If it mentions "second factor" or "additional verification", it's Authenticator or MFA. Always check the licensing requirement – if the question says "without additional cost" and the answer is SSPR with writeback, it's likely wrong because Premium license is needed. - Edge case: SSPR cannot be used by users with the Global Administrator role – they must use a different method (e.g., phone call). This is a common exam trap.
Microsoft Authenticator supports two MFA methods: TOTP (6-digit code, 30-second validity) and push notification (requires network).
SSPR allows users to reset their own password without help desk intervention, reducing IT costs.
SSPR with password writeback requires Azure AD Premium P1/P2 and Azure AD Connect with writeback enabled.
Users must pre-register authentication methods before using SSPR; administrators can enforce registration via registration campaign.
Global administrators cannot use SSPR to reset their own passwords; they must use an alternative method.
Microsoft Authenticator can also be used for passwordless sign-in (phone sign-in) when enabled by the admin.
SSPR lockout occurs after 10 failed attempts in 30 minutes, resulting in a 24-hour lockout.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Authenticator (Push Notification)
Requires network connectivity (push via MNS/APNs).
User approves/denies a notification with sign-in details.
Faster for the user – one tap approval.
Can be used for passwordless sign-in (number matching).
Notification timeout is 30 seconds.
Microsoft Authenticator (TOTP Code)
Works offline – no network needed after registration.
User must manually type a 6-digit code from the app.
Slower – requires opening app and typing code.
Cannot be used for passwordless sign-in.
Code changes every 30 seconds.
SSPR (Cloud-Only)
Only resets password in Azure AD.
On-premises password remains unchanged.
User cannot access on-premises resources with new password.
No additional licensing beyond Azure AD Free.
No synchronization required.
SSPR with Password Writeback
Resets password in Azure AD AND on-premises AD.
User can access both cloud and on-premises resources.
Requires Azure AD Premium P1 or P2.
Requires Azure AD Connect with writeback enabled.
Password syncs within 30 seconds.
Mistake
Microsoft Authenticator only works for Azure AD accounts.
Correct
It also supports personal Microsoft accounts (Outlook, Xbox) and third-party accounts that support TOTP (e.g., Google, Facebook).
Mistake
SSPR automatically resets the password in on-premises Active Directory.
Correct
Password writeback must be explicitly enabled in Azure AD Connect. Without it, only the cloud password is reset.
Mistake
You need to install the Microsoft Authenticator app on a work-managed device.
Correct
Users can install it on their personal phones. Azure AD does not require device management for the app to work.
Mistake
SSPR is available in all Azure AD editions without extra licensing.
Correct
SSPR for cloud-only users is available in Free edition, but SSPR with password writeback (for hybrid) requires Azure AD Premium P1 or P2.
Mistake
Microsoft Authenticator push notifications can be bypassed by an attacker if they have the password.
Correct
Push notifications require user approval on the device. Even if an attacker has the password, they cannot approve the notification unless they also have the phone.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Authenticator is an app used for multi-factor authentication (MFA) and passwordless sign-in. It provides a second factor (something you have) during sign-in. SSPR (Self-Service Password Reset) is a feature that allows users to reset their own passwords when they forget them. Both enhance security and user convenience, but Authenticator prevents unauthorized access even if a password is compromised, while SSPR reduces help desk calls for password resets. They can work together: Authenticator can be used as a verification method for SSPR.
Yes, for TOTP codes. The app generates codes offline using a shared secret and the device's clock. However, push notifications require an internet connection to receive the notification. So if you are offline, you can still use TOTP but not push notifications. For exam purposes, remember that TOTP works offline.
SSPR with password writeback requires Azure AD Premium P1 or P2 licenses for all users who need the writeback capability. Azure AD Free allows SSPR for cloud-only users without writeback. For hybrid environments, Premium licenses are mandatory. The exam often tests this distinction.
Sign in to https://myapps.microsoft.com with your work or school account. Go to Security Info, click '+ Add method', select 'Microsoft Authenticator', and follow the prompts to scan a QR code with the app. You can also register via the Azure AD admin portal or during the sign-in process if the admin has enabled registration campaign.
The user will be unable to use MFA or passwordless sign-in. They must contact the help desk to reset their MFA registration. To prevent lockout, users should register multiple MFA methods (e.g., phone call, SMS) or use SSPR with alternative methods to regain access. Administrators can also temporarily disable MFA for the user and require re-registration.
Yes, SSPR includes account unlock. When a user is locked out due to too many failed sign-in attempts, they can use SSPR to reset their password and unlock the account in one step. This is a key feature tested on the exam.
The default is 2. Administrators can change it to 1, but 2 is recommended for security. The exam may ask about this default value.
You've just covered Microsoft Authenticator and SSPR — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?