Level 2


Changing temporary passwords to permanent passwords immediately after system logon ensures that the necessary strength of the authentication mechanism is implemented at the earliest opportunity, reducing the susceptibility to authenticator compromises.  

Priority: High 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM) 

Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure Active Directory B2C
  • Azure Active Directory Domain Services
  • Azure AD Privileged Identity Management
  • Azure Multi-Factor Authentication
  • Azure Conditional Access
  • Azure Information Protection
  • Azure Identity Protection
  • Azure Key Vault
  • Azure Security Center

Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings 

Possible Technology Considerations:

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered:

Do new employees receive an account and instructions for creating a password during the hiring process? Do new employees receive notification of their account, and are they required to reset their initial passwords? Are temporary password activation links sent to validated employees should they require a password reset or change? Are temporary passwords only good to allow for a password reset? Does the system enforce immediate password change after logon when a temporary password is issued for a lost or forgotten password?  

Checks for AWS

  • Immediate Change from Temporary to Permanent Password
    Description: This check ensures that organizations require users to immediately change their temporary passwords to permanent passwords upon system logon. Temporary passwords are typically issued for initial access to systems or for password reset processes. Requiring an immediate change from a temporary password to a permanent password strengthens the authentication mechanism by ensuring that users set a new password that meets the organization's password complexity requirements. This reduces the risk of unauthorized access due to compromised temporary passwords.

Checks for Azure

  • Require Password Change on First Sign-In
    Description: This check ensures that users are required to change their password upon their first sign-in to the Azure environment. By requiring a password change on the first sign-in, organizations can enforce the use of unique and personalized passwords for each user, reducing the risk of compromised credentials.
  • Enforce Password Reset on a Regular Basis
    Description: This check verifies that organizations enforce regular password resets for user accounts in Azure. Password reset policies require users to change their passwords after a specified period of time. Regular password resets help mitigate the risk of unauthorized access by ensuring that passwords are regularly updated and not used for an extended period.

More Details:  Users issued temporary passwords on account creation or password reset with a requirement to change password upon first logging in with temporary password.