This guide walks through securing access using Microsoft Entra ID (formerly Azure Active Directory) by:

• Creating users and groups
• Enabling Self-Service Password Reset (SSPR)
• Configuring and testing multi-factor authentication (MFA)

• Scenario Overview
• Task 1: Add New Users
• Task 2: Create a DevSupport Group
• Task 3: Enable Self-Service Password Reset (SSPR)
• Task 4: Test SSPR Functionality
• Task 5: Enable and Configure Multi-Factor Authentication
• Notes & Best Practices

• Northwind has created a new department called DevSupport. Three new employees, John, Dave, and Jeff, have joined as part of the new department. You are responsible for creating user accounts for these employees on Azure Active Directory (Azure AD.) You should also create a group for the department and assign the users to the new group.
• Northwind's employees regularly call the support team to reset their passwords. This adds to the workload of support teams and delays employees in their duties. You are responsible for enabling self-service password reset so that users of the organization can self-authenticate with Azure AD to reset their own passwords.
• Northwind has decided to enhance the security of its systems and data. You have been assigned to enable and configure multifactor authentication for the new employees to facilitate this.

1. Sign in to the Azure portal with your login credentials.
2. Navigate to Microsoft Entra ID > Select Roles and administrators under the Manage blade.

3. To create a user, confirm you have the Global Administrator role assigned. If your role is listed as Global Administrator, you can manage all aspects of Azure AD.

4. Return back to Microsoft Entra ID, > Users > Select Create new user from the New user menu to add a new user.

5. Add a User principal name as John and a Display name as John.
6. The Username and Display name are required. The domain part of the username must use either the initial default domain name, <yourdomainname>.onmicrosoft.com, or a custom domain name.
7. Save the auto-generated password that was provided in the box. (You will need to provide this password to the user for their initial login).
8. Click Review + create.
9. The user is created and added to your Azure AD organization.
10. Repeat the steps for Dave and Jeff.

Creating a security group in Azure AD lets you assign access or permissions collectively. In this task, we create a group named DevSupport and add users who provide developer support.

1. In Microsoft Entra ID, go to Groups under the Manage blade.

2. Select New group.

3. Select the Group type*, in this case Microsoft 365 from the drop-down menu. This will enable the shared email address for the group.
4. Provide the Group information.

5. Under Members, add John, Dave, and Jeff.

6. Verify the information and select Create to create the group.
7. Your Group is successfully created. Click on the name of the group to see total of members.

Self-service password reset (SSPR) allows users to reset their Azure AD passwords securely without helpdesk involvement. Best practice is to enable SSPR gradually (e.g. a pilot group) before turning it on for all users In this task we enable SSPR for the DevSupport group created above.

1. In Microsoft Entra ID, select Password reset.

3. Choose the DevSupport Group
4. Click the select group link under Select Group to populate your list of available groups.
5. Choose DevSupport and click Select.
6. Click Save to enable self-service password reset (SSPR).

After enabling SSPR for a group (e.g., DevSupport), it’s important to test the functionality from an end-user perspective. This ensures users can reset their own passwords and that the feature is properly scoped and working.

1. To test the manual registration process from an end-user's perspective, open a new browser window in InPrivate or incognito mode, and browse to https://aka.ms/ssprsetup

2. Sign in with the username of a test user, like Jeff.

3. On the next page, you will be prompted to enter your credentials, click Forgot password.

4.Enter the test user's account information, the characters from the CAPTCHA, and then select Next.

5. Follow the verification steps to reset your password.

Multi-Factor Authentication adds an additional layer of security by requiring users to verify their identity using a second method beyond just a password.

1. Navigate to Microsoft Entra ID
2. Click on Security under the Manage blade

3. Click on Multifactor authentication.

4. Select Additional cloud-based multifactor authentication settings.

7. If you enable "Remember multi-factor authentication on trusted device", users can mark a device as trusted when they sign in by selecting Don't ask again.
8. Navigate back to Microsoft Entra ID > Select Users

9. Under Users > click on Per-user MFA
10. Select John, Dave, Jeff > Click Enable MFA

11. Once completed, confirm the users MFA status.

• Security: Require at least two authentication methods for password reset to prevent unauthorized resets learn.microsoft.com . For example, require phone + email or mobile app + PIN.

• User guidance: Communicate to DevSupport members how to register their authentication methods at https://aka.ms/ssprsetup (they’ll be prompted on next sign-in) and how to reset at https://aka.ms/sspr if needed.

• Audit and monitoring: Track SSPR usage via the Azure AD Password Reset Registration Activity report to ensure users are registering and using it correctly learn.microsoft.com . Monitoring helps detect any abuse or issues early.