MFA, SSPR & Password Protection
Configure tenant-wide MFA settings, deploy self-service password reset, disable compromised accounts, and protect against weak passwords with Entra password protection.
MFA: the non-negotiable baseline
MFA is like a door that needs two different keys to open.
Your password is one key. But if someone steals it (phishing, breach, sticky note), they still can’t get in because they need the second key — your phone, your fingerprint, or a hardware token. No single stolen key is enough.
SSPR is the “forgot your keys?” desk downstairs. Instead of calling the building manager (IT helpdesk) every time, you prove who you are another way and get a new key yourself. Saves everyone time.
MFA methods compared
| Feature | Method | Strength | User Experience |
|---|---|---|---|
| Microsoft Authenticator (push) | Strong — NOT phishing-resistant (even with number matching) | High | Tap approve + enter number |
| FIDO2 security key | Strongest — phishing-resistant | High | Insert/tap key + PIN or biometric |
| Windows Hello for Business | Strongest — phishing-resistant | High | Face, fingerprint, or PIN |
| Authenticator TOTP code | Good — not phishing-resistant | Medium | Open app, type 6-digit code |
| Hardware OATH token | Good | Medium | Read code from hardware device |
| SMS | Weakest — vulnerable to SIM swap | Low friction | Receive text, type code |
| Voice call | Weak | Low friction | Answer call, press # |
Tenant-wide MFA settings
Where MFA is configured (three places — the exam tests this):
- Security defaults — one-click MFA for everyone. Good for small orgs. Cannot be customised. Requires Authenticator app.
- Per-user MFA (legacy) — enable/enforce MFA per user. Being deprecated. No group targeting, no Conditional Access integration.
- Conditional Access — the recommended approach. Target by user/group, app, risk level, location, device state. Full control.
| Feature | Security Defaults | Per-User MFA (Legacy) | Conditional Access |
|---|---|---|---|
| Granularity | All or nothing | Per user | Per user/group/app/condition |
| Method choice | Authenticator only | All enabled methods | All + authentication strength |
| Risk-based | No | No | Yes |
| Licence required | Free | Free | Entra ID P1+ |
| Customisable | No | Limited | Full |
| Microsoft recommendation | Small orgs without P1 | Migrate away | ✅ Use this |
Exam tip: security defaults vs Conditional Access
Security defaults and Conditional Access are mutually exclusive — you cannot enable both. When you create your first CA policy, you must disable security defaults first.
If the exam asks how to enforce MFA for all users AND apply different rules for different groups, the answer is Conditional Access (security defaults can’t do per-group rules).
Self-service password reset (SSPR)
SSPR lets users reset their own passwords through a web portal (passwordreset.microsoftonline.com) or the Windows lock screen.
SSPR configuration
| Setting | Options | Notes |
|---|---|---|
| Enabled for | None / Selected group / All | Start with a pilot group, then expand |
| Methods required | 1 or 2 | 2 is more secure — user must verify with two different methods |
| Methods available | Authenticator, email, phone, security questions, etc. | Choose at least the number required + 1 extra |
| Registration required | Yes (at next sign-in) | Users register their methods before they need them |
| Reconfirm after | 0–730 days | How often users must verify their methods are current |
SSPR methods available
- Microsoft Authenticator (notification or code)
- Email (verification code to alternate email)
- Mobile phone (SMS or voice call)
- Office phone (voice call)
- Security questions (only for SSPR, not MFA — and NOT recommended for high security)
Scenario: Jake configures SSPR at Coastline Creative
Coastline Creative’s 35 staff are constantly calling Jake to reset passwords — especially after holidays. He sets up SSPR:
- Enable SSPR for all users (small org, no need for a pilot)
- Require 2 methods for reset (more secure)
- Enable: Authenticator notification, mobile phone SMS, and alternate email
- Require registration at next sign-in — users pick at least 2 methods
- Reconfirm every 180 days — keeps methods current
Result: Password resets drop from 8 helpdesk tickets per week to near zero. Staff reset their own passwords in under a minute.
Password writeback
In hybrid environments, SSPR can write password changes back to on-premises AD — so a user who resets their password in the cloud also updates their on-prem AD password.
Requirements:
- Entra Connect or Entra Connect cloud sync with password writeback enabled
- Entra ID P1 or P2 licence
- The Entra Connect service account needs appropriate AD permissions
Exam tip: password writeback requires P1
Cloud-only SSPR works with Entra ID Free (limited) or P1/P2. But password writeback to on-prem AD requires Entra ID P1 or P2. If an exam question mentions hybrid and SSPR, check whether writeback is needed — that changes the licence requirement.
Disabling accounts and revoking sessions
When an account is compromised, speed matters. Two immediate actions:
1. Disable the account (block sign-in)
- Entra admin center → Users → select user → Edit properties → Block sign-in = Yes
- Prevents new sign-ins immediately
- Does NOT invalidate existing tokens — the user’s current sessions may stay active until tokens expire (up to 1 hour for access tokens)
2. Revoke all sessions
- Entra admin center → Users → select user → Revoke sessions
- Invalidates all refresh tokens immediately
- Forces re-authentication on all devices at next token refresh
- Combined with blocked sign-in, this effectively locks the user out everywhere
Scenario: Dex handles a compromised account
Dex gets an alert from ID Protection: Ravi’s account shows a sign-in from an unusual country at 3 AM. Ravi confirms he didn’t sign in.
Dex’s response (in order):
- Block sign-in — prevents the attacker from signing in again
- Revoke all sessions — kills existing tokens so the attacker’s current session is terminated at next token refresh
- Reset password — ensures the compromised password can’t be reused
- Check sign-in logs — what did the attacker access? Any inbox rules created? Any data downloaded?
- Require MFA re-registration — the attacker may have registered their own MFA method
- Unblock sign-in once Ravi has re-registered MFA on a clean device
Why both block AND revoke? Blocking prevents new sign-ins. Revoking kills existing sessions. Without revoking, the attacker’s existing access token might work for up to another hour.
Entra password protection
Entra password protection prevents users from setting weak passwords — the kind that appear in breach lists or contain your organisation’s name.
Two layers:
- Global banned password list — maintained by Microsoft, contains thousands of commonly breached passwords. Always active, cannot be disabled.
- Custom banned password list — up to 1,000 entries you define (company name, products, city, sports teams). Case-insensitive, with fuzzy matching (l33t speak variations are caught).
How the algorithm works:
- Normalises the password (lowercase, l33t substitutions)
- Checks against both banned lists
- Adds a “ban score” — if any substring matches a banned word, the whole password gets a score. If the score exceeds the threshold, the password is rejected.
On-premises password protection
For hybrid environments, Entra password protection extends to on-prem AD:
- Deploy Entra Password Protection proxy service (on a domain-joined server)
- Install Entra Password Protection DC agent on each domain controller
- The proxy downloads the banned password list from Entra; the DC agent enforces it during password changes
Exam tip: on-prem password protection architecture
The on-premises deployment has two components:
- Proxy service — runs on any domain-joined server, connects to Entra to download banned lists
- DC agent — runs on each DC, intercepts password changes and validates against the banned list
You need at least two proxies for high availability. The DC agent works even if the proxy is temporarily unavailable — it caches the last downloaded list. The exam may test this resiliency.
🎬 Video walkthrough
🎬 Video coming soon
MFA, SSPR & Password Protection — SC-300 Module 11
MFA, SSPR & Password Protection — SC-300 Module 11
~12 minFlashcards
Knowledge Check
An organisation wants to enforce MFA for all users, but require phishing-resistant MFA only for admins accessing the Azure portal. Security defaults are currently enabled. What should they do?
Dex receives an alert that a user account may be compromised. He blocks the user's sign-in. 30 minutes later, the user's mailbox is still being accessed from a suspicious IP. What did Dex miss?
A company wants to prevent employees from using the company name, 'Coastline', in their passwords — including variations like 'C0astl1ne' and 'COASTLINE2024'. What should Jake configure?
Next up: Conditional Access: Plan & Build Policies — learn the IF/THEN model, build policies with assignments and controls, and understand when to use report-only mode.