Description:

Ensure that ‘Notify users on password resets?' is set to 'Yes'. If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed.


Rationale:

User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.


Impact:

“Notify users on password resets?” If this option is set to Yes, users resetting their password receive an email notifying them that their password has been changed. The email is sent via the SSPR portal to their primary and alternate email addresses that are stored in Azure AD.


Default Value:

By default, 'Notify users on password resets?' is set to 'Yes'.


Audit:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to Password reset

  4. Go to Notification

  5. Ensure that Notify users on password resets? is set to Yes


Remediation:

Pre-Requisite:

  1. A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.

  2. An account with global administrator privileges.


Implementation:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to Password reset

  4. Go to Notification

  5. Set Notify users on password resets? to Yes



Backout Plan:

  1. Go to Azure Active Directory

  2. Go to Users

  3. Go to the Password reset

  4. Go to Notification

  5. Set Notify users on password reset to No


Note:

Please note that at this point in time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation.


References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/active-directory- passwords-how-it-works#notifications

  2. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- sspr-deployment

  3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy