3.6 Password Protection, Self-Service Password Reset, and External Identities
Key Takeaways
- Self-Service Password Reset (SSPR) lets users reset or unlock their own accounts after registering authentication methods, cutting help-desk cost.
- SSPR with password writeback pushes resets back to on-premises AD in hybrid environments so the change applies everywhere.
- Entra Password Protection blocks weak and banned passwords (global and custom banned-password lists) in the cloud and, via agents, in on-premises AD.
- Microsoft Entra External ID is the modern brand for external identities: B2B collaboration (guest partners) and the CIAM/customer (formerly Azure AD B2C) scenario.
- B2B guest users authenticate with their own home identity and carry a UPN containing the #EXT# tag in your tenant.
Self-Service Password Reset (SSPR)
Self-Service Password Reset (SSPR) lets users reset or unlock their own accounts without calling the help desk, which lowers support cost and reduces sign-in downtime. To use it, a user must first register one or more authentication methods (for example, the Microsoft Authenticator app, a phone number, or email). When they later forget their password, they prove identity with those registered methods and set a new one.
Administrators control SSPR with settings such as:
- Scope — enabled for none, selected groups, or all users.
- Number of methods required to reset (e.g., one or two).
- Which methods are allowed (Authenticator, phone, email, security questions).
- Registration enforcement — require users to register on next sign-in.
A forward-looking SC-900 note: Microsoft's Secure Future Initiative is tightening SSPR so that, from September 7, 2026, verification must use explicitly registered authentication methods rather than directory-sourced contact attributes — reinforcing the theme that recovery should rely on trusted, user-validated methods.
Password writeback and Entra Password Protection
In hybrid environments, a cloud password reset must also update on-premises Active Directory or users would have mismatched passwords. Password writeback is the Entra Connect feature that writes SSPR changes back down to on-premises AD, so a user who resets in the cloud can immediately use the new password on-premises too.
Microsoft Entra Password Protection reduces weak-password risk by blocking known-weak and banned passwords:
| Feature | What it does |
|---|---|
| Global banned password list | Microsoft-maintained list of common weak passwords, always enforced |
| Custom banned password list | Organization-specific terms (company name, products) to block |
| On-premises enforcement | Domain controller agents extend banned-password checks to on-prem AD password changes |
| Smart lockout | Locks out attackers after bad attempts while distinguishing real users |
This is the difference the exam draws: Password Protection prevents weak passwords from being chosen; SSPR handles recovery when a password is forgotten; MFA adds a second proof even when the password is correct.
External identities: Microsoft Entra External ID
Microsoft Entra External ID is the current umbrella brand for working with people outside your organization. It covers two scenarios:
- B2B collaboration (business guests) — invite partners, vendors, and contractors as guest users. They sign in with their own home identity (their own organization's account or a one-time passcode), so you never manage their passwords. In your tenant their user type is Guest and their UPN contains the #EXT# tag (e.g.,
partner_contoso.com#EXT#@yourtenant.onmicrosoft.com). You then grant guests access to specific apps and resources. - CIAM / customer scenario — a customer-facing identity solution (consumer apps) supporting social and local sign-ups at large scale. This is the modern successor to Azure AD B2C, which as of May 1, 2025 is no longer available for new customers to purchase; new consumer scenarios use Entra External ID.
| External ID scenario | Who it's for | Key trait |
|---|---|---|
| B2B collaboration | Partner/guest workers | Guests bring their own identity; #EXT# UPN |
| CIAM (customer) | Consumers of your apps | Social/local sign-up, massive scale (formerly Azure AD B2C) |
Choosing the right capability — exam cues
Match the wording to the capability:
- Users reset/unlock their own forgotten passwords → Self-Service Password Reset (SSPR).
- Cloud password reset must also update on-premises AD → password writeback.
- Block weak or company-specific passwords (cloud and on-prem) → Entra Password Protection (global + custom banned lists).
- Let external partners use existing accounts to access your resources → B2B collaboration in External ID.
- Sign-in for millions of consumers/customers of your app → External ID customer (CIAM) — the successor to Azure AD B2C.
Common traps: SSPR is recovery, not prevention — don't pick it when the need is to stop weak passwords (that's Password Protection) or add proof (that's MFA). "Azure AD B2C" is the old name for the customer scenario now delivered by Entra External ID. And guests in B2B are authenticated by their own identity provider — you are not creating or managing passwords for them. Keep recovery, prevention, added-proof, and external-access scenarios in distinct lanes and these questions become straightforward.
B2B vs. B2C — the distinction the exam loves
The two External ID scenarios are easy to mix up, so memorize the audience and the trust model:
| B2B collaboration | Customer / CIAM (formerly Azure AD B2C) | |
|---|---|---|
| Audience | Business partners, vendors, contractors | Consumers/customers of your apps |
| Identity used | The guest's own work/school or personal account | Local accounts or social IdPs (Google, Facebook, Apple) |
| Where they live | Added as guests in your tenant (#EXT# UPN) | Managed in a customer-facing directory/flow |
| Scale | Tens to thousands of partners | Millions of consumers |
A quick decision rule: if the external people are business collaborators using existing org accounts, the answer is B2B; if they are customers/consumers of a public app signing up with social or local accounts, the answer is the customer (CIAM) scenario. Both are delivered today under the single Microsoft Entra External ID brand, so don't be thrown when a question uses that umbrella name — identify the audience to pick the right sub-scenario.
Which capability lets users reset or unlock their own forgotten passwords after registering authentication methods, reducing help-desk volume?
In a hybrid environment, which feature ensures that a password a user resets in the cloud is also updated in on-premises Active Directory?
An organization wants to block its company name and common weak passwords from being chosen, both in the cloud and in on-premises AD. Which capability should it use?
A company wants external partners to access shared resources by signing in with their own existing organizational accounts. Which Microsoft Entra External ID capability fits?