I’ve been searching some information about Security Questions in AzureAD, and one of the fisrt conclusiones that I came, is that Security Questions are only available for users that use, SSPR.
Taking this into considerations, you have to be aware of the following, when using security questions:
- Azure stores security questions privately and in a security-enhanced manner on a user object in the directory. Only users can answer the questions and only during registration. An administrator can’t read or change a user’s questions or answers.
- Azure provides 35 predefined questions, all translated and localized based on the browser locale.
- You can customize the questions by using the administrative interface; however, Azure displays them in the language entered. The maximum length is 200 characters.