1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Managing Microsoft 365 Access and Authentication

Designing an Authentication Method

Start course
1h 1m

This course has been designed to teach you how to manage Microsoft 365 access and authentication. The content in this course will help prepare you for the Microsoft 365 Identity and Services exam.

The topics covered within this course include:

  • Managing Authentication
  • Implementing Multi-Factor Authentication
  • Configuring Application Access
  • Implementing Access for External Users of Microsoft 365 Workloads

Who should attend this course?

  • Those who are preparing for the Microsoft 365 Identity and Services exam
  • Those looking to learn more about Microsoft 365

Course Objectives

  • To learn how to configure and monitor authentication
  • To learn how to administer MFA and report on its utilization
  • To learn how to configure application registration and use Azure AD Application Proxy
  • To learn how to use Azure Active Directory B2B to add and manage external users


To get the most from this course, you should at least be familiar with the Microsoft 365 offering and have a general understanding of its features.


When a user logs in, SSPR and/or MFA may ask for additional information in order to confirm that the user is who he claims he is. As an Administrator, you can define via policy which authentication methods should be made available to users who have been enabled for SSPR and/or MFA. That said, certain authentication methods aren't available for all features. When designing an authentication strategy, an Administrator should configure more than the minimum number of authentication methods for a given solution in case some users don't have access to some of them. Authentication methods that are available include password, security questions, email address, the Microsoft Authenticator app, OATH Hardware token, SMS, voice call, and app passwords. The password option is available for both MFA and SSPR. Security questions and email addresses can be used only with SSPR. Microsoft authenticator app is currently available for MFA but is, however, in public preview for SSPR as well. Conversely, OATH Hardware token is available for SSPR but it's preview for MFA. SMS and voice call are both available for MFA usage, as well as SSPR usage, however, app passwords can only be used for MFA, and even in those cases it can only be used in certain conditions. The Azure AD password is considered an authentication method. It's the only authentication method that cannot be disabled. Security questions are available to non-admin users. When using security questions, they should be used in conjunction with a second authentication method, because they are inherently less secure than other methods because it's entirely possible that other people may know the answers to the questions for another user. It's important to note that a user's security questions are stored privately and securely on the user object in the directory, and they can only be answered by the user during registration. There's no way for an administrator to be able to read or modify a user's questions or the answers to those questions. There are close to 40 predefined questions that you can use. Common predefined questions include those such as "In what city did you meet your first spouse?" "In what city did your parents meet?" "What is your mother's middle name?" and stuff like that. It's easy to see why security questions are considered less secure than other authentication methods. If you really want to use security questions, you can improve their security slightly by using custom security questions instead of the standard out of the box questions. When using custom security questions, you need to remember that the maximum length of a custom security question is 200 characters. In cases where you decide to use security questions, keep in mind that the minimum answer character limit is three characters and the maximum answer character limit is 40 characters. Users can't answer the same question more than one time, nor can they provide the same answer to more than one question. The number of questions defined must be greater than or equal to the number of questions that were required to register. If you plan to use email address with SSPR, Microsoft recommends using an email account that does not require the user's Azure AD password for access. The Microsoft Authenticator app provides added security to Azure AD work and school accounts, as well as to Microsoft accounts, and it's available for Android, iOS, and even Windows Phone. However, end users cannot register their mobile apps when registering for self-service password reset. Instead, they can register their mobile apps by vising one of the two URLs that you see on your screen. There are several options available when using the Authenticator app. You can use notification through mobile app, a verification code, or OATH hardware tokens, which is in preview at the time of this course. When using Notification through mobile app, the Microsoft Authenticator helps prevent unauthorized access to accounts by pushing a notification to the user's smartphone or tablet. The user can then view the notification and select the Verify option if it's legitimate. If it's not, the user can select Deny instead. The Microsoft Authenticator app and even other third-party apps can be used as a software token to generate an OATH verification code when authenticating. After a user provides his username and password, the user must enter the code provided by the app into the sign-in screen. This verification code provides a second form of authentication that can help mitigate stolen credentials and compromised accounts. OATH is an open standard that dictates how one-time password, or OTP, codes are generated. Azure Active Directory supports using both 30 and 60 second OATH-TOTP SHA-1 tokens. Such tokens can be procured from the vendor of your choice. It's important to note, however, that that secret keys are limited to 128 characters. As such, they might not.


LECTURES: Course Introduction - What is Authentication - Designing an Authentication Method - Configuring Multi-Factor Authentication - Accessing MFA Service Settings - Enable SSPR - Sign-in Activity Reports in the Azure Active Directory Portal - Using Sign-in Activity Reports in the Azure Active Directory Portal - Azure Active Directory Monitoring - Implement MFA - Manage User Settings with Azure Multi-Factor Authentication in the Cloud - Manage MFA for Users - Reports in Azure Multi-Factor Authentication - Configure Application Registration in Azure AD - How to Configure Application Registration in Azure AD - What is Azure AD Application Proxy - Configure Azure AD Application Proxy - Azure Active Directory B2B - Add Guest Users to Your Directory in the Azure Portal - Conclusion

About the Author
Thomas Mitchell
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.