Authentication Methods and Self-Service Password Reset
Implement and manage modern authentication methods — from passwordless to MFA — and configure SSPR to reduce help desk calls.
Authentication at the Expert level
You already know what MFA is. At the Expert level, the question is: how do you deploy the RIGHT authentication methods across 20,000 users with different devices, roles, and risk profiles?
Think of it like a building with multiple entrances. Some doors need a key card (password), some need a fingerprint (biometric), some need both (MFA), and some need a special badge that only works during business hours (conditional). Your job is designing which doors use which locks — and making sure everyone can get in without calling security every five minutes.
Authentication methods landscape
| Method | Security Level | Phishing Resistant | Best For |
|---|---|---|---|
| Password only | Low | No | Legacy — being eliminated |
| Password + SMS OTP | Medium | No | Transition — better than password only, but SMS can be intercepted |
| Password + Authenticator push | Good | No | Standard MFA for most organisations |
| Authenticator passwordless | Strong | No | Users who want phone-based passwordless |
| FIDO2 security key | Very strong | Yes | High-security roles, shared workstations |
| Windows Hello for Business | Very strong | Yes | Corporate-managed Windows devices |
| Certificate-based auth | Very strong | Yes | Government, regulated industries, smart cards |
| Passkeys | Very strong | Yes | Future standard — device-bound or synced |
Configuring authentication methods
Authentication methods are managed in Entra admin center > Protection > Authentication methods > Policies.
Each method can be:
- Enabled for all users or targeted to specific groups
- Configured with method-specific settings (e.g., FIDO2 key restrictions, Authenticator number matching)
Priya’s authentication strategy for GlobalReach:
| User Group | Primary Method | Secondary Method | Why |
|---|---|---|---|
| Executives | Windows Hello for Business | FIDO2 key (backup) | Phishing-resistant, high-value targets |
| Office workers | Microsoft Authenticator (passwordless) | SMS (fallback only) | Balance of security and usability |
| Frontline workers | FIDO2 security keys | Authenticator push | Shared devices, can’t use biometrics |
| External contractors | Authenticator push (with number matching) | Email OTP | B2B guests use their own devices |
Exam tip: Number matching is now mandatory
Microsoft Authenticator push notifications now require number matching by default — the user must enter a number displayed on the sign-in screen into the Authenticator app. This prevents MFA fatigue attacks where attackers spam push notifications hoping the user approves one.
The exam may ask: “How does Priya prevent MFA fatigue attacks?” → Number matching is already enforced by default on Authenticator push notifications.
Self-Service Password Reset (SSPR)
SSPR lets users reset their own passwords without calling the help desk. At 20,000 users, this is essential — Priya estimates it reduces help desk tickets by 30-40%.
SSPR configuration
| Setting | Options | Recommendation |
|---|---|---|
| Enabled for | None, Selected group, All | All users (after pilot with selected group) |
| Authentication methods required | 1 or 2 methods | 2 methods (more secure) |
| Methods available | Email, phone, security questions, Authenticator, FIDO2 | Email + Authenticator (avoid security questions) |
| Registration enforcement | Require registration at sign-in | Yes — force users to register methods |
| Registration reconfirmation | Days before re-confirmation | 180 days |
| Password writeback | Write reset passwords back to on-prem AD | Enable (requires Entra Connect or Cloud Sync) |
Password writeback
In hybrid environments, SSPR needs to write the new password back to on-premises AD. Without writeback:
- User resets password in the cloud
- Cloud password changes
- On-prem password stays the same
- User has two different passwords — chaos
Password writeback solves this by synchronising the new cloud password back to AD. It’s configured in the sync tool (Connect Sync or Cloud Sync) and works with password hash sync, pass-through authentication, and AD FS federation.
Deep dive: Combined SSPR and MFA registration
Microsoft now uses combined registration — users register for both SSPR and MFA in a single experience. When a user signs in for the first time (or is prompted to register), they set up methods that work for both:
- Microsoft Authenticator → works for MFA push AND SSPR verification
- Phone number → works for MFA SMS/call AND SSPR phone verification
- Email → works for SSPR only (not MFA)
Combined registration is enabled by default. The exam may ask where to manage it: Entra admin center > Protection > Authentication methods > Registration > Combined registration.
Key concepts to remember
Knowledge check
Priya enables SSPR for all GlobalReach users with password writeback. A user in Singapore resets their password via the cloud portal, but their on-premises AD password doesn't change. What should Priya check?
Elena wants to enforce phishing-resistant authentication for MedGuard Health's administrators who access sensitive patient data systems. Which authentication method should she require?
🎬 Video coming soon
Next up: Password Protection and Authentication Troubleshooting — banning weak passwords and diagnosing sign-in failures.