Question 6 - Microsoft Identity SC-300 Real Exam Questions [Jan 2026 Update]

Q: 6

You have an Azure AD tenant that has multi-factor authentication (MFA) enforced and self-service password reset (SSPR) enabled. You enable combined registration in interrupt mode. You create a new user named User1. Which two authentication methods can User1 use to complete the combined registration process? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Options

Correct Answer:

A, E

Explanation

The combined security information registration process prompts users to register authentication methods for both Azure AD Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR). Since MFA is enforced, the new user, User1, must register at least one method that satisfies the MFA policy during their first sign-in.

The Microsoft Authenticator app and FIDO2 security keys are both strong authentication methods that can be used for MFA and are available for users to self-register during the initial combined registration experience. These methods allow the user to complete the mandatory setup and secure their account from the outset.

Why Incorrect

B. a hardware token: Hardware OATH tokens must be registered by an administrator for the user; they cannot be self-registered by the user during the initial sign-in process.

C. a one-time passcode email: Email is a method available for SSPR only, not for MFA. It cannot be used to satisfy the initial MFA registration requirement that triggers the combined registration process.

D. Windows Hello for Business: This is provisioned on a specific device after a user has already successfully authenticated with MFA. It is not an option available during the initial registration flow itself.

References

1. Microsoft Learn. (2023). Combined security information registration for Azure Active Directory overview. In "Authentication methods". This document lists the available methods for combined registration

including "Microsoft Authenticator app" and "FIDO2 security key". It also specifies that "Email address" and "Security questions" are available for SSPR only.

2. Microsoft Learn. (2023). Authentication methods and features. In "Authentication". This table confirms that FIDO2 Security Key and Microsoft Authenticator are valid for both MFA and SSPR

while Email is only for SSPR.

3. Microsoft Learn. (2023). Passwordless security key sign-in to Windows 10 devices with Azure Active Directory. In "Enable passwordless security key sign-in". The section "User registration and management of FIDO2 security keys" describes the self-service registration process at https://myprofile.microsoft.com.

4. Microsoft Learn. (2023). How to register and manage OATH hardware tokens in Azure AD. In "OATH tokens". The "Prerequisites" section states

"Admins need to register the hardware tokens for each user." This confirms it is not a self-service method for a new user.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE