MicrosoftDocs
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/1-introduction.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/1-introduction.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/2-explore-authentication-methods.yml‎
Lines changed: 15 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/2-explore-authentication-methods.yml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/3-configure-mfa.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/3-configure-mfa.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/4-implement-passwordless-authentication.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/4-implement-passwordless-authentication.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/5-configure-self-service-password-reset.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/5-configure-self-service-password-reset.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/6-exercise-configure-authentication-methods.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/6-exercise-configure-authentication-methods.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/7-knowledge-check.yml‎
Lines changed: 71 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/7-knowledge-check.yml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/8-summary.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/8-summary.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/includes/1-introduction.md‎
Lines changed: 26 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/includes/1-introduction.md‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/manage-implement-authentication-methods/includes/2-explore-authentication-methods.md‎
Lines changed: 63 additions & 0 deletions b/‎learn-pr/wwl-sci/manage-implement-authentication-methods/includes/2-explore-authentication-methods.md‎
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: Introduction to implementing and managing authentication methods in Microsoft Entra ID for Contoso's hybrid environment.
+  ms.date: 03/05/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]
@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.explore-authentication-methods
+title: Explore Microsoft Entra ID authentication methods
+metadata:
+  title: Explore Microsoft Entra ID Authentication Methods
+  description: Explore the spectrum of Microsoft Entra ID authentication methods, from password-based to passwordless, and understand authentication strength and security hierarchy.
+  ms.date: 03/04/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 5
+content: |
+  [!include[](includes/2-explore-authentication-methods.md)]
+  
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.configure-mfa
+title: Configure multifactor authentication in Microsoft Entra ID
+metadata:
+  title: Configure Multifactor Authentication in Microsoft Entra ID
+  description: Learn how to deploy and configure multifactor authentication (MFA) in Microsoft Entra ID using Conditional Access policies, named locations, and secure user registration.
+  ms.date: 03/04/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 5
+content: |
+  [!include[](includes/3-configure-mfa.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.implement-passwordless-authentication
+title: Implement passwordless authentication in Microsoft Entra ID
+metadata:
+  title: Implement Passwordless Authentication in Microsoft Entra ID
+  description: Learn how to deploy Windows Hello for Business, passkeys in Microsoft Authenticator, and FIDO2 security keys in Microsoft Entra ID — and match each method to the right user persona.
+  ms.date: 03/04/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 5
+content: |
+  [!include[](includes/4-implement-passwordless-authentication.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.configure-self-service-password-reset
+title: Configure self-service password reset in Microsoft Entra ID
+metadata:
+  title: Configure Self-Service Password Reset in Microsoft Entra ID
+  description: Learn how to deploy and configure self-service password reset (SSPR) in Microsoft Entra ID — including licensing requirements, SSPR-eligible authentication methods, registration enforcement, password writeback, and activity monitoring.
+  ms.date: 03/05/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 5
+content: |
+  [!include[](includes/5-configure-self-service-password-reset.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.exercise-configure-authentication-methods
+title: "Exercise - Configure authentication methods in Microsoft Entra ID"
+metadata:
+  title: "Exercise - Configure Authentication Methods in Microsoft Entra ID"
+  description: "Hands-on exercise: enable the MFA registration policy in Identity Protection, require MFA for cloud admin portals using Conditional Access, and enable phishing-resistant sign-in with passkeys (FIDO2) in Microsoft Entra ID."
+  ms.date: 03/13/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-assisted
+durationInMinutes: 2
+content: |
+  [!include[](includes/6-exercise-configure-authentication-methods.md)]
@@ -0,0 +1,71 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.knowledge-check
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: "Knowledge check"
+  ms.date: 03/05/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  module_assessment: true
+  ai_generated_module_assessment: false
+durationInMinutes: 3
+quiz:
+  title: ""
+  questions:
+  - content: "An organization wants to enforce phishing-resistant MFA for its privileged administrators. Which of the following authentication methods qualifies as phishing-resistant?"
+    choices:
+    - content: "SMS one-time passcode"
+      isCorrect: false
+      explanation: "SMS OTP is susceptible to SIM-swapping and real-time phishing attacks, so it doesn't qualify as phishing-resistant."
+    - content: "FIDO2 security key"
+      isCorrect: true
+      explanation: "FIDO2 security keys use public-key cryptography bound to the origin, making them resistant to phishing and credential replay attacks."
+    - content: "OATH hardware token"
+      isCorrect: false
+      explanation: "OATH TOTP codes are time-based passcodes that are often intercepted and replayed by a phishing site, so they aren't phishing-resistant."
+  - content: "A security architect is designing MFA enforcement for all users in a Microsoft Entra ID tenant. Which mechanism does Microsoft recommend over per-user MFA or security defaults for most organizations?"
+    choices:
+    - content: "Enabling security defaults in the Microsoft Entra admin center"
+      isCorrect: false
+      explanation: "Security defaults are a baseline for organizations without a Microsoft Entra ID P1/P2 license and don't offer the granular control that most organizations need."
+    - content: "Enabling per-user MFA for every account"
+      isCorrect: false
+      explanation: "Per-user MFA is a legacy approach that lacks the context-awareness and flexibility of modern policy-driven enforcement."
+    - content: "Using Conditional Access policies to require MFA"
+      isCorrect: true
+      explanation: "Conditional Access is the recommended MFA enforcement mechanism because it allows granular, risk-based, and context-based rules that can target specific users, apps, and conditions."
+  - content: "A company is deploying passwordless authentication. Frontline workers share physical kiosks in a warehouse and don't have assigned Windows laptops. Which passwordless method is the best fit for this persona?"
+    choices:
+    - content: "Windows Hello for Business"
+      isCorrect: false
+      explanation: "Windows Hello for Business stores credentials on a specific device, making it unsuitable for shared kiosk scenarios where multiple workers use the same hardware."
+    - content: "FIDO2 security key"
+      isCorrect: true
+      explanation: "FIDO2 security keys are portable and device-independent, making them ideal for shared or unassigned devices where workers need to authenticate without a dedicated corporate laptop."
+    - content: "Synced passkey stored in a password manager"
+      isCorrect: false
+      explanation: "Synced passkeys are best suited for BYOD scenarios where users authenticate from their own personal devices across multiple platforms."
+  - content: "An administrator is reviewing which authentication methods are eligible for self-service password reset (SSPR). Which of the following methods is NOT supported for SSPR?"
+    choices:
+    - content: "Mobile app code (TOTP from Microsoft Authenticator)"
+      isCorrect: false
+      explanation: "The Microsoft Authenticator app code (TOTP) is a supported SSPR method that users can register and use to verify their identity during a reset."
+    - content: "FIDO2 security key / passkey"
+      isCorrect: true
+      explanation: "FIDO2 security keys and passkeys are sign-in-only credentials. They can confirm a sign-in but aren't available as verification methods during a self-service password reset flow."
+    - content: "Email address verification"
+      isCorrect: false
+      explanation: "Email is a supported SSPR method and is commonly used as an alternate contact verification option."
+  - content: "A help desk technician needs to onboard a new employee who has no existing authentication methods registered. The technician wants to issue a short-lived credential that lets the employee securely complete first-time MFA registration. Which feature is designed for this purpose?"
+    choices:
+    - content: "Send a password"
+      isCorrect: false
+      explanation: "Sending a password doesn't provide a secure, time-limited credential for first-time authentication registration."
+    - content: "A Conditional Access policy scoped to the 'Register security information' user action"
+      isCorrect: false
+      explanation: "This policy controls who can register, but it doesn't itself provide a credential that allows an unregistered user to authenticate for the first time."
+    - content: "Temporary Access Pass (TAP)"
+      isCorrect: true
+      explanation: "TAP is a time-limited passcode issued by an admin that allows a user with no existing methods to sign in and bootstrap their first MFA registration, including passkeys and FIDO2 keys."
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-implement-authentication-methods.summary
+title: Summary
+metadata:
+  title: Summary
+  description: Summary of implementing and managing authentication methods in Microsoft Entra ID, including MFA, passwordless authentication, and SSPR.
+  ms.date: 03/05/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 2
+content: |
+  [!include[](includes/8-summary.md)]
@@ -0,0 +1,26 @@
+In this module, you implement and manage authentication methods in Microsoft Entra ID, including multifactor authentication (MFA), passwordless authentication, and self-service password reset (SSPR). You learn to deploy modern authentication solutions that balance security with user experience.
+
+## Scenario
+
+You're a security engineer at Contoso Corporation, a healthcare technology company that's modernizing from on-premises Active Directory to a hybrid cloud environment. Your CISO has issued a mandate: all users must use multifactor authentication and passwordless sign-in within 90 days to meet new compliance requirements and reduce the risk of credential-based attacks.
+
+Your help desk currently processes over 200 password reset requests weekly, costing approximately $50 per incident. Recent phishing attempts targeting employee credentials have heightened security concerns, especially as Contoso expands into AI-powered healthcare analytics using Azure AI Foundry and Microsoft Copilot for Microsoft 365.
+
+Your task is to implement a comprehensive authentication strategy that strengthens security, improves user experience, and reduces operational overhead.
+
+## Learning objectives
+
+In this module, you will:
+
+- Configure and deploy multifactor authentication (MFA) for users and groups.
+- Implement passwordless authentication methods including FIDO2, Windows Hello for Business, and Microsoft Authenticator.
+- Configure self-service password reset (SSPR) with appropriate authentication methods.
+- Design authentication policies that balance security requirements with user experience.
+- Monitor authentication activity and troubleshoot common authentication issues.
+- Configure authentication methods for AI-powered services and applications.
+
+## Prerequisites
+
+- Azure administrative experience.
+- Basic understanding of Microsoft Entra ID concepts.
+- Familiarity with identity and access management principles.
@@ -0,0 +1,63 @@
+Imagine you're a security engineer at Contoso, a mid-sized healthcare technology company. Over the past year, your team responded to three separate incidents involving compromised user credentials — each traced back to phishing attacks or credential-stuffing campaigns. Your manager asks you to evaluate Contoso's current authentication strategy and recommend a path toward eliminating password-related breaches. To do that effectively, you need to understand the full spectrum of authentication methods available in Microsoft Entra ID and how they compare in terms of security and user experience.
+
+## The authentication methods landscape
+
+Microsoft Entra ID supports a broad range of authentication methods, from legacy password-based approaches to modern passwordless alternatives. These methods fall into categories based on what the user presents to prove their identity:
+
+- **Something you know**: Passwords and PINs
+- **Something you have**: A registered device, a security key, or an authenticator app
+- **Something you are**: Biometrics, such as a fingerprint or facial recognition
+
+Password-based authentication — where a user provides a username and password — remains the most widely deployed method, but also the most vulnerable. Passwords can be phished, guessed, or stolen through data breaches. For organizations like Contoso, passwords alone represent an unacceptable risk.
+
+Modern passwordless methods eliminate the password entirely. Instead of typing a password, users authenticate using a combination of device possession and a biometric or PIN. Methods like FIDO2 security keys, Windows Hello for Business, and passkeys are natively phishing-resistant because no shareable secret is transmitted during sign-in. Microsoft Authenticator passwordless sign-in is a strong improvement over passwords, but requires Conditional Access policies enforcing managed devices to achieve the same level of phishing resistance.
+
+:::image type="content" source="../media/authentication-methods-spectrum.png" alt-text="Diagram showing the spectrum from password-only authentication on the left, through password plus MFA in the middle, to fully passwordless methods on the right, with security strength increasing from left to right.":::
+
+## Multifactor authentication as the bridge
+
+For organizations that can't immediately move to passwordless, **multifactor authentication (MFA)** provides a critical intermediate security layer. MFA requires users to verify their identity using two or more factors from different categories — for example, something they know (a password) combined with something they have (a registered phone).
+
+Microsoft Entra ID supports several MFA methods:
+
+| Method | Type | Security level |
+|---|---|---|
+| Microsoft Authenticator push notification | App-based | High |
+| Microsoft Authenticator TOTP code | App-based | High |
+| OATH TOTP hardware token | Hardware | High |
+| SMS one-time passcode | Phone | Low-medium |
+| Voice call verification | Phone | Low-medium |
+
+> [!NOTE]
+> FIDO2 security keys and passkeys in Microsoft Authenticator are passwordless, phishing-resistant methods — they replace the password entirely rather than acting as a second factor behind one. They appear in the security hierarchy in the next section.
+
+> [!IMPORTANT]
+> SMS and voice call verification are considered legacy MFA methods. They're vulnerable to SIM-swapping attacks. Microsoft recommends migrating users away from these methods toward app-based or hardware-based alternatives.
+
+The next unit on multifactor authentication explores how to configure and enforce these methods across your user population.
+
+## Authentication strength and security hierarchy
+
+Not all MFA methods offer the same level of protection. Microsoft Entra ID introduces the concept of **authentication strength**, which lets you specify the minimum acceptable MFA method required to access a given resource through Conditional Access policies.
+
+The security hierarchy, from least to most secure, is:
+
+- Password only (no MFA)
+- Password + SMS or voice call
+- Password + Microsoft Authenticator app
+- Passwordless sign-in (Windows Hello for Business, FIDO2 security keys, passkeys in Microsoft Authenticator, certificate-based authentication)
+
+For sensitive resources — such as administrative portals or financial systems — authentication strength policies let you require **phishing-resistant MFA**. Microsoft Entra ID's built-in phishing-resistant strength covers four method families: Windows Hello for Business, FIDO2 security keys, passkeys in Microsoft Authenticator, and certificate-based authentication (CBA). This distinction is critical when designing access policies for Contoso's privileged accounts.
+
+> [!TIP]
+> Authentication strength policies are applied per application. You can require phishing-resistant MFA for your most sensitive systems while allowing standard MFA for lower-risk applications — balancing security with user experience. This per-resource granularity is the technical expression of Zero Trust's "verify explicitly" principle: every access request is evaluated against the authentication strength required for that specific resource, not a blanket organization-wide setting.
+
+## Microsoft Entra ID authentication architecture
+
+When a user signs in, the request flows through the **Microsoft identity platform**, the cloud-native authentication engine behind Microsoft Entra ID. The platform evaluates the user's credentials, applies Conditional Access policies, and issues tokens upon successful authentication.
+
+:::image type="content" source="../media/entra-authentication-architecture.png" alt-text="Diagram showing the Microsoft Entra ID authentication flow. A user device on the left sends a sign-in request to the Microsoft identity platform in the center, which applies Conditional Access policies before issuing tokens to the target application on the right.":::
+
+For devices joined to Microsoft Entra ID, a **Primary Refresh Token (PRT)** is issued after the first successful sign-in. The PRT enables single sign-on (SSO) across apps and services without requiring re-authentication — a meaningful gain in user experience that complements the security improvements from stronger authentication methods.
+
+Understanding this architecture helps you anticipate how changes to authentication policies affect users and applications across the organization. Importantly, the same authentication policies that govern access to Microsoft 365 and Azure management also apply to AI-powered services like Azure AI Foundry and Microsoft Copilot for Microsoft 365 — making strong authentication the first line of defense for Contoso's AI investments as well. With this foundation in place, you're ready to dive into configuring multifactor authentication in the next unit.