Description:
Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.
Rationale:
If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user, such as a phone number or email changes, then the password reset information for that user reverts to the previously registered authentication information.
Impact:
The "Number of days before users are asked to re-confirm their authentication information" represents the period of time, up to a maximum of 730 days, before AD registered users are prompted to reconfirm their existing authentication details to make sure that these are still valid. If authentication reconfirmation is disabled, i.e. set to zero days, the Active Directory users will never be prompted to reconfirm their existing authentication information.
Default Value:
By default, the 'Number of days before users are asked to re-confirm their authentication information is set to '180 days'.
Audit:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Registration
Ensure that Number of days before users are asked to re-confirm their authentication information is not set to 0
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation Steps:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Registration
Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency(range is 0 to 730)
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Registration
Ensure the Number of days before users are asked to re-confirm their authentication information is set to 0
Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory- passwords-how-it-works#registration
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- sspr-deployment
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy