Description:

This control ensures users receive notifications whenever their password is reset by an administrator in Microsoft Entra ID. Enabling notifications improves transparency, helps users detect unauthorized password changes, and supports faster incident response by alerting users to potential account compromise or misuse.


Rationale:

User notifications provide an early warning mechanism for compromised accounts. If a password is reset without the user's knowledge, attackers may retain access. Enabling alerts enables faster reporting, verification, and corrective action, reducing the likelihood of prolonged unauthorized access.


Impact:

Users will receive email notifications whenever their passwords are reset manually by administrators. This may increase helpdesk queries initially, but it improves trust and security awareness. There is no service disruption, and the setting does not affect automated or self-service password changes.


Default Value:

  • By default, this setting is Yes in Microsoft Entra ID (Azure AD).


Pre-requisites:

  1. Make sure Global Administrator or Privileged Role Administrator rights are assigned

  2. Self-Service Password Reset (SSPR) enabled

  3. Required licensing (Entra ID Free / P1 / P2 as applicable)


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Password reset

  4. Select Notifications

  5. Verify that Notify users on password resets is set to Yes

  6. If Notify users on password resets is not set to Yes, follow the implementation steps

Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Password reset

                                                 

  1. Select Notifications

  2. Set Notify users on password resets to Yes

  3. Save the changes

Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Open Microsoft Entra ID

  3. Under the Manage section, select Password reset

  4. Select Notifications

  5. Set Notify users on password resets to No

  6. Save the changes


References: