3.6 Password Protection and Password Management
Key Takeaways
- Password protection focuses on reducing weak or risky password use.
- Password management covers the operational side of password change, reset, and recovery scenarios.
- These capabilities support identity security but do not replace MFA or authorization controls.
- SC-900 password questions usually describe user sign-in friction, weak passwords, or credential risk.
Passwords still matter in fundamentals scenarios
Even when an organization uses stronger authentication, passwords remain a common exam topic because they are a familiar credential risk. Password protection is about reducing weak or risky password choices. Password management is about the processes users and administrators use when passwords must be changed, reset, or recovered. SC-900 does not ask you to memorize every configuration option, but it does expect you to recognize the capability area.
- Weak or easily guessed passwords point to password protection.
- Forgotten passwords point to password management.
- Password-only risk can also point to MFA when added proof is needed.
- Access permission problems point to authorization rather than password management.
Password topics versus adjacent Entra topics
Password protection and management sit in the authentication portion of the Entra story. They help improve the sign-in experience and reduce credential weakness. They do not decide whether a signed-in administrator should have a role, and they do not review whether a user still needs application access. Those are access-management and governance topics. The exam often rewards choosing the control that matches the exact problem statement.
| Problem statement | Best topic |
|---|---|
| Users choose weak passwords | Password protection |
| Users need a way to recover sign-in access | Password management |
| Users need more proof than a password | Multifactor authentication |
| Users need access recertified | Access reviews |
Read password questions carefully
A question may mention passwords but really ask about a broader sign-in or access issue. If the organization wants to block weak password choices, stay with password protection. If the organization wants to reduce help desk friction around resets, stay with password management. If the organization wants stronger assurance even when the password is correct, MFA is the better answer. If the problem is excessive access after sign-in, move to authorization, roles, or governance.
- Block weak choices: password protection.
- Handle reset or recovery: password management.
- Add another proof factor: MFA.
- Limit what the signed-in identity can do: authorization and access management.
Password questions and least confusion
Password topics are easy to overread because nearly every sign-in begins with identity proof. Keep the actual request in view. Blocking weak passwords is protection. Helping users recover access is management. Requiring more proof is MFA. Reducing excessive permissions is an access-management topic. This pattern keeps password controls from being chosen for problems they do not solve. The safer exam move is to match the password wording to the exact user pain or risk.
- Weak password selection: password protection.
- Lost or forgotten credential: password management.
- Added verification: multifactor authentication.
- Excessive access rights: roles, reviews, or governance.
- Signed-in user has too much access: move away from password controls.
Which need best matches password protection?
Which scenario best matches password management?
A company wants stronger assurance after the password is entered correctly. Which Entra authentication capability is the best fit?