Day 8 - SC-900 - Self-Service Password Reset(SSPR), Password Protection, & Password Management Capabilities
Self-Service Password Reset(SSPR): -Benefits of SSPR: -Gives users the ability to quickly change/reset their password -Users can follow prompts to unblock themselves w/o admin involvement -Reduces the most common type of helpdesk(HD) call
-Requirements of SSPR Use: -User must be: -Assigned an Azure AD(AAD) license -Enabled for SSPR by an admin -Registered with the AuthN method they want to use -Note: Two(2) or more AuthN methods are recommended in case one(1) is unavailable. -Tip: Enable SSPR for a group -Note: this tip does require AAD Premium Plan 1
-SSPR Use Cases: -Password Change: When a user knows their password but wants to change it to something new. -Password Reset: When a user cannot sign in because they forgot their password & want to reset it. -Account Lock: When a user cannot sign in because their account is locked out.
-SSPR Supported AuthN Methods: -Email -Mobile App Notification -Mobile App Code -Mobile Phone -Office Phone -Security Questions
-Combined Registration for AAD MFA & SSPR: -Starting 15 Aug 2020 all new AAD tenants will be auto enabled for combined registration -After 30 Sept 2022 all users will register security info through the combined registration experience
Password Protection & Management Capabilities: -AAD Password Protection -Users often choose weak passwords that are susceptible to dictionary attacks -AAD provides both global & custom banned password lists -A password change request fails if there's a match in these banned passwords lists -Supports hybrid environments; AD domain controllers are not put at risk
-Banned Password Lists: -Global Banned Password List: A global banned password list with known weak passwords is auto updated & enforced by Microsoft -Custom Banned Password Lists: Lists of custom banned passwords created by admins to support specific business security needs(Brand/Product names, company location names, etc)
-Smart Lockout -Microsoft system created to help lock out bad actors(BA) that try to guess user passwords, use brute-force, or password spray attack methods -By default it locks the account from sign-in attempts for one(1) minute after ten(10) failed attempts & longer as failures continue -Uses familiar location vs unfamiliar location to differentiate between genuine user & bad actor -Integration with On-Prem AD: -Can be integrated with hybrid deployment that use password hash sync/pass-through authentication -Protects on-prem AD Domain Services(ADDS) accounts from being locked out
