Description:

Ensure that two alternate forms of identification are provided before allowing a password reset. Self-Service Password Reset(SSPR) is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. The users can quickly unblock themselves and continue working no matter where they are or the time of day. By allowing the employees to unblock themselves, your organization can reduce the non-productive time and high support costs for most common password-related issues.


Rationale:

Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With a dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.


Default Value:

By default, the Number of methods required to reset is set to "2".


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to the Password reset

  4. Go to Authentication methods
  5. Check whether the Number of methods required to reset is set to 2 or not


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to Password reset

  4. Go to Authentication methods
  5. Set the Number of methods required to reset to 2


Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to Password reset

  4. Go to Authentication methods

  5. Ensure the Number of methods required to reset is set to 1


Note:

Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.


References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/active-directory- passwords-faq#password-reset-registration

  2. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- sspr-deployment

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-4-use-strong-authentication-controls-for-all-azure- active-directory-based-access