iCompaas Support

Description:

The 'Number of days before users are asked to reconfirm their authentication information' setting in Microsoft Entra ID (formerly Azure Active Directory) controls how often users are prompted to verify or reconfirm their authentication methods (e.g., phone number, email address, or authenticator app). If this value is set to 0, users are never prompted to update their authentication information, potentially leaving outdated or invalid information in the system.

It is important to configure this setting to a reasonable number of days (e.g., 180 days or 1 year) to ensure that users' authentication information is kept up-to-date and accurate. This helps mitigate risks related to account recovery, security, and access management.

Rationale:

Setting 'Number of days before users are asked to reconfirm their authentication information' to a value greater than 0 helps:

• Enhance security: Regularly asking users to confirm or update their authentication methods ensures that their contact information is current, which is critical for identity verification and security.
  

• Prevent account recovery issues: Up-to-date authentication information ensures that users can recover their accounts in case of issues such as forgotten passwords or compromised accounts.
  

• Meet security best practices: Ensures that the authentication methods in your organization are verified periodically, which is a common best practice in security frameworks.
  

Impact:

Setting 'Number of days before users are asked to reconfirm their authentication information' to a value greater than 0 will:

• Improve security by ensuring that users' authentication methods are periodically validated.
  

• Increase the administrative overhead as users will be prompted to update their information, which may increase helpdesk or support requests. However, the security benefits outweigh this minor inconvenience.
  

• Ensure compliance with organizational and regulatory requirements for maintaining up-to-date user authentication information.
  

Default Value:

By default, Microsoft Entra ID may allow '0' days, meaning users are never prompted to reconfirm their authentication information unless manually triggered. It is recommended to change this setting to a non-zero value.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator permissions to modify the authentication settings.
  

• Users should have at least one authentication method (e.g., phone number, email address, authenticator app) registered in Azure AD.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Security > Authentication methods > Security info.
   

3. Ensure that the 'Number of days before users are asked to reconfirm their authentication information' is configured to a value greater than 0.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Security Info Settings:
   

   • Under Security, select Authentication methods.
     

   • Then, go to Security info.
     

4. Modify Reconfirmation Interval:
   

   • In the Security info pane, locate the setting for 'Number of days before users are asked to reconfirm their authentication information'.
     

   • Set this value to a reasonable number of days (e.g., 180 days or 365 days).
     

5. Save the Configuration:
   

   • After setting the appropriate value, click Save to apply the changes.
     

6. Verify the Setting:
   

   • After saving, ensure that users are prompted to reconfirm their authentication information after the set number of days.
     

   • Perform a test by accessing a user account and verifying that they are prompted for reconfirmation if their last confirmation was beyond the set threshold.
     

7. Communicate the Policy to Users:
   

   • Notify users about the new policy and encourage them to keep their authentication methods up to date, especially if they rely on these methods for account recovery.
     

8. Monitor and Review:
   

   • Use Azure AD logs to monitor how often users are being asked to reconfirm their authentication information.
     

   • Set up Azure Monitor alerts to notify administrators if there are issues with the authentication reconfirmation process.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Security > Authentication methods > Security info.
     

3. Revert the Setting to '0' (if needed):
   

   • In the Security info pane, change the 'Number of days before users are asked to reconfirm their authentication information' back to 0 to stop the periodic reconfirmation prompts.
     

4. Save the Configuration:
   

   • Click Save to apply the changes.
     

5. Test the Reverted Configuration:
   

   • Verify that users are no longer prompted to update their authentication information on a periodic basis after setting the interval to 0.
     

6. Monitor for Impact:
   

   • Ensure that the lack of periodic reconfirmation does not impact the ability to recover accounts or pose a security risk in your environment.
     

References:

• Azure AD - Authentication Methods Overview
  

• Configure Multi-Factor Authentication (MFA) Settings
  

• Azure AD - Self-Service Password Reset (SSPR)