Description:
Notify all admins when other admins reset their passwords. If this option is set to Yes, then all other Azure administrators receive an email to their primary email address stored in Azure AD. The email notifies them that another administrator has changed their password by using SSPR.
Rationale:
Administrator accounts are sensitive. Any password reset activity notification, when sent to all administrators, ensures that all administrators can passively confirm if such a reset is a common pattern within their group. For example, if all administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.
Default Value:
By default, 'Notify all admins when other admins reset their password?' is set to 'No'.
Audit:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Notification
Ensure that Notify all admins when other admins reset their password? is set to Yes
Remediation:
Pre-Requisite:
A working Azure AD tenant with at least an Azure AD Premium P1 or trial license enabled.
An account with global administrator privileges.
Implementation:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Notification
Set Notify all admins when other admins reset their password? to Yes
Backout Plan:
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Notification
Set Notify all admins when other admins reset their password? to NO
Note:
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct a security assessment for this recommendation.
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory- passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto- sspr-deployment
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users