Self-service password reset-Describe security, compliance, privacy, and trust in Microsoft 365

Self-service password reset (SSPR) is a feature in Azure Active Directory that enables users to reset their own forgotten passwords, change their existing passwords, and unlock their accounts when they have been frozen. This can significantly reduce routine trouble calls without sacrificing identity security.

Before users can reset their own passwords, administrators must enable SSPR in the Microsoft Entra admin center, as shown in Figure 3-14. The interface allows administrators to enable self-service password reset for all users or selected ones.

FIGURE 3-14 The Password Reset | Properties screen in the Microsoft Entra admin center

The next time users log on after SSPR is enabled, a screen appears, prompting them to register by selecting the authentication methods they will use during the password reset or downloading the Microsoft Authenticator app, as shown in Figure 3-15.

FIGURE 3-15 The Action Required pop-up window

Conditional access

Conditional access is an Entra ID feature that enables administrators to create policies that control user access to applications and data based on a variety of conditions. Entra ID processes conditional access policies after the user’s first authentication factor.

When processing conditional access policies, Entra ID analyzes information about the user, the user’s device, the device’s location, the applications on the device, and the degree of risk associated with the protected resources, as shown in Figure 3-16. Based on this information, Entra ID might allow or deny the user access to the resource, require the user to complete additional authentication factors or even switch to a more compliant device.

FIGURE 3-16 The conditional access verification procedure

The conditional access assessment is essentially an if/then statement that balances the incoming signals with a series of possible outcomes. For example, when a user attempts to access a particular application, a conditional access policy might evaluate signals such as the following:

  • If the user is connected to the on-premises network
  • If the user completes their first authentication successfully
  • If the user is a member of a group granting permissions for the application
  • If the user is working on a device with adequate malware protection

If the user meets all of these requirements, the conditional access policy processes the Then parts of the statement:

  • Then the user must complete the second factor of a multifactor authentication
  • Then the user is granted access to the application

Administrators can use the Microsoft Entra admin center to create conditional access policies, as shown in Figure 3-17. The Conditional Access page includes templates for creating policies, such as Require Multifactor Authentication For A dmins, or it is possible to create an entirely new policy.

FIGURE 3-17 The Conditional Access screen in Microsoft Entra admin center

When creating a new conditional access policy using the interface shown in Figure 3-18, administrators can configure the following elements:

FIGURE 3-18 The Conditional Access screen in Microsoft Entra admin center

  • Users Specifies the users and groups to which the policy will apply
  • Target Resources Identifies the cloud apps or other protected resources to which the policy applies
  • Conditions Specifies the conditions the user must meet to be granted access, such as the following:
    • Device Platforms Specifies the allowed platforms for the user’s device, such as Windows, macOS, Android, and iOS
    • Location Specifies the allowed physical locations for the user
    • Client Apps Specifies the client applications in which the user will be allowed to work
    • Filter For Devices Includes or excludes devices from the policy based on the values of specific device properties
  • Grant Specifies whether user access to the target resources should be blocked completely or granted with one or more conditions, such as the need for a password change, multifactor authentication, or a hybrid Entra ID-joined device
  • Session Specifies session limitations for specific apps, such as how long a user’s access persists before reauthentication is necessary and whether browser sessions are persistent

Selecting the On option in the Enable Policy selector activates the policy and applies it as configured.

Quick check

  • Which of the following elements creates hybrid identities by replicating on-premises identities to the cloud?
    • Entra ID
    • Azure AD Connect
    • Password hash synchronization
    • AD DS

Quick check answer

  • Azure AD Connect is a software tool that runs on the on-premises network and replicates Active Directory domain Services identities to Azure Active Directory in the cloud, creating hybrid identities.

Skill 3.2: Describe threat protection solutions of Microsoft 365

Originally, Windows Defender was the name of Microsoft’s antivirus feature for Windows XP. Now called Microsoft Defender Anti-Virus, that feature still exists in Windows 10 and 11. However, the brand has grown, and Microsoft 365 Defender is now the name of a unified protection suite that detects, isolates, and remediates threats wherever they occur in the Microsoft 365 infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Search

Popular Posts

  • Summary-Describe security, compliance, privacy, and trust in Microsoft 365
    Summary-Describe security, compliance, privacy, and trust in Microsoft 365

    Thought experiment In this thought experiment, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to this thought experiment in the next section. Ralph is the Director of the Brooklyn datacenter at Contoso Corp. The company currently has three office buildings in the New York area with…

  • Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365
    Anticipating threats-Describe security, compliance, privacy, and trust in Microsoft 365

    Arguably, the most difficult part of the risk management planning process is trying to anticipate all the possible threats that could afflict the company’s data in the future. The three basic risk factors for the data—confidentiality, integrity, and availability—can be exploited in any number of specific ways, but the general threat categories are listed in…

  • Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365
    Classifying users-Describe security, compliance, privacy, and trust in Microsoft 365

    The third element of the digital estate that must be considered when creating a risk management plan is the people who actually access the data. Whether deliberately or inadvertently, users are a constant vulnerability—if not an actual threat—to the organization’s data. After quantifying the organization’s information assets and their value and inventorying the hardware used…

Tags

There’s no content to show here yet.