iCompaas Support

Description:

The 'Number of methods required to reset' setting in Microsoft Entra ID (formerly Azure Active Directory) determines how many authentication methods a user must provide when performing a self-service password reset (SSPR). By setting this value to '2', users will be required to verify their identity using two methods before they are allowed to reset their password.

Rationale:

Requiring two methods for password resets increases security by making attacks harder, reduces the risk of unauthorized resets by enforcing multi-factor verification, and aligns with security best practices such as zero trust and least privilege for protecting sensitive account actions.

Impact:

Setting the number of methods required to reset passwords to two improves security by enforcing multi-factor verification, slightly increases user effort during resets, and significantly reduces the risk of unauthorized access by ensuring identities are verified through multiple authentication methods.

Default Value:

By default, Microsoft Entra ID is often configured with the '1' method required for a password reset. This default can be adjusted to '2' to improve security.

Pre-requisites:

• Global Administrator role in Microsoft Entra ID

• Self-Service Password Reset is enabled for the tenant

• Users included in the Self-Service Password Reset scope

• Users registered with at least two authentication methods supported for password reset

Test plan:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Entra ID.

3. Under Manage, select Password reset, then open Authentication methods.

4. Verify that the Number of methods required to reset is set to 2.

Implementation Steps:

1. Sign in to the Azure portal and navigate to Microsoft Entra ID (Azure AD).

2. Under Manage, select Password reset.

3. Open Authentication methods.

4. Under Self-Service Password Reset, ensure that the Number of methods required to reset is set to 2.

5. Click Save to apply the changes.

Backout Plan:

1. Sign in to the Azure portal and navigate to Microsoft Entra ID (Azure AD).

2. Under Manage, select Password reset, then open Authentication methods.

3. In Self-Service Password Reset, change the Number of methods required to reset back to 1.

4. Click Save to apply the changes.

References:

• https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr

• https://docs.microsoft.com/en-us/azure/active-directory/authentication/sspr-authentication-methods