iCompaas Support

Description:

The 'Number of methods required to reset' setting in Microsoft Entra ID (formerly Azure Active Directory) determines how many authentication methods a user must provide when performing a self-service password reset (SSPR). By setting this value to '2', users will be required to verify their identity using two methods before they are allowed to reset their password.

This additional layer of security helps ensure that only authorized users can reset their passwords, preventing unauthorized access even if one method of verification is compromised.

Rationale:

Requiring two methods for password resets helps:

• Increase security: The more authentication methods required, the harder it is for unauthorized individuals to successfully reset a password.
  

• Reduce the risk of unauthorized password resets: By requiring users to authenticate with two separate methods, the likelihood of an attacker successfully resetting a password is greatly reduced.
  

• Comply with security best practices: Requiring multi-method verification for sensitive actions like password resets aligns with the principle of least privilege and zero trust models.
  

Impact:

Setting 'Number of methods required to reset' to '2' will:

• Enhance security by ensuring that users need more than one form of verification to perform password resets.
  

• Slightly increase the complexity of the password reset process, which may affect user experience, but the security benefit outweighs the added complexity.
  

• Ensure that only users who can prove their identity with multiple methods are able to reset their passwords, significantly reducing the chances of unauthorized resets.
  

Default Value:

By default, Microsoft Entra ID is often configured with '1' method required for a password reset. This default can be adjusted to '2' to improve security.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator permissions to configure self-service password reset settings.
  

• Users should be registered with at least two methods of authentication (e.g., phone number, email, authenticator app) in order to successfully use self-service password reset.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Password reset.
   

3. Verify that the 'Number of methods required to reset' setting is configured to '2'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Password Reset Settings:
   

   • Under Manage, select Password reset.
     

4. Configure Self-Service Password Reset (SSPR) Settings:
   

   • In the Password reset pane, click on Authentication methods.
     

   • Under Self-Service Password Reset, ensure that the 'Number of methods required to reset' is set to '2'.
     

5. Choose Methods for Verification:
   

   • In the same section, ensure that users have registered multiple methods for identity verification (e.g., mobile phone number, email address, security questions, or the Microsoft Authenticator app).
     

   • Ensure that at least two methods are available to each user to successfully perform a self-service password reset.
     

6. Save the Settings:
   

   • After setting 'Number of methods required to reset' to '2', click Save to apply the changes.
     

7. Verify Settings:
   

   • Test the Self-Service Password Reset (SSPR) process by attempting a password reset as a test user.
     

   • Ensure that the user is prompted for two separate methods of authentication (e.g., email and mobile number, or email and authenticator app).
     

8. Communicate to Users:
   

   • Inform users that they will now need to provide two authentication methods for password resets.
     

   • Encourage users to register two or more authentication methods for identity verification through the Security Info section in Microsoft Entra ID.
     

9. Monitor and Review:
   

   • Use Azure AD logs to monitor the success and failure of self-service password resets and ensure that the new two-factor authentication policy is being enforced.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Password reset.
     

3. Revert the Setting:
   

   • In the Password reset pane, navigate to Authentication methods and change the 'Number of methods requiredto reset' back to '1'.
     

4. Save the Configuration:
   

   • Click Save to apply the changes and allow users to reset their passwords using only one authentication method.
     

5. Test the Reverted Configuration:
   

   • Attempt a password reset with a user to verify that the process now only requires one method of authentication.
     

References:

• Azure AD - Self-Service Password Reset Overview
  

• Azure AD - Password Reset Settings
  Enabling Multi-Factor Authentication for Self-Service Password Reset