Description:
Ensure that ‘Notify users on password resets?' is set to 'Yes'. If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed.
Rationale:
User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.
Impact:
“Notify users on password resets?” If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Azure AD.
Default Value:
By default, 'Notify users on password resets?' is set to 'Yes'.
Audit:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Notification
Ensure that Notify users on password resets? is set to Yes
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Notification
Set Notify users on password resets? to Yes
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to the Password reset
Go to Notification
Set Notify users on password reset to No
Note:
Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation.
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory- passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- sspr-deployment
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy