iCompaas Support

Description:

The 'Notify users on password resets?' setting in Microsoft Entra ID (formerly Azure Active Directory) determines whether users should receive an email notification when their password is reset. Enabling this feature ensures that users are promptly informed whenever a password reset occurs, which is a critical security measure to alert users about potential unauthorized changes to their accounts.

By setting this option to 'Yes', users will receive an email notification when a password reset is successfully completed, helping them identify if an unauthorized password change was made and enabling them to take appropriate action (e.g., changing the password or notifying the administrator).

Rationale:

Notifying users about password resets helps:

• Increase security: It allows users to detect unauthorized password resets early, preventing attackers from gaining prolonged access to the account.
  

• Enable faster response: If an unauthorized reset is detected, users can quickly change their password or take action to protect their account.
  

• Ensure user awareness: It ensures users are aware of any changes to their account credentials, whether initiated by themselves or an administrator.
  

• Meet security best practices: It's a standard security best practice to alert users about sensitive account changes like password resets.
  

Impact:

Setting 'Notify users on password resets?' to 'Yes' will:

• Improve security by alerting users to changes in their password and allowing them to react quickly to unauthorized access.
  

• Provide a better user experience by ensuring users are aware of actions taken on their accounts.
  

• Increase operational efficiency as users will know when a reset is performed, reducing the number of helpdesk requests related to password resets.
  

• Potentially increase email traffic, as users will receive notifications every time their password is reset, but the added security benefit outweighs this.
  

Default Value:

By default, Microsoft Entra ID may not send email notifications for password resets. The setting must be manually configured to ensure users are notified.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator role permissions to modify password reset settings.
  

• Users must have a valid email address registered in their Azure AD profile to receive notifications.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Security > Authentication methods > Password reset.
   

3. Ensure that 'Notify users on password resets?' is set to 'Yes'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Password Reset Settings:
   

   • Under Security, select Authentication methods.
     

   • In the Authentication methods pane, select Password reset.
     

4. Enable Password Reset Notifications:
   

   • In the Password reset settings, find the option 'Notify users on password resets?'.
     

   • Set the option to 'Yes' to enable email notifications for users when their passwords are reset.
     

5. Save the Configuration:
   

   • After setting the option to 'Yes', click Save to apply the changes.
     

6. Verify the Setting:
   

   • After saving, verify that users receive an email notification whenever a password reset occurs by performing a password reset as an administrator and ensuring the user receives the email.
     

7. Test the Notification:
   

   • To test the configuration, initiate a password reset for a test user and confirm that the user receives a notification about the reset.
     

8. Monitor and Review:
   

   • Use Azure AD logs to monitor password reset events and verify that notifications are being sent correctly.
     

   • Set up alerts in Azure Monitor for failed password reset attempts to improve monitoring.
     

9. Communicate to Users:
   

   • Inform users that they will now receive email notifications when their passwords are reset, ensuring they know to check their inbox in case of unauthorized resets.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Security > Authentication methods > Password reset.
     

3. Disable Password Reset Notifications:
   

   • In the Password reset settings, find the option 'Notify users on password resets?'.
     

   • Set the option to 'No' to disable email notifications for users when their passwords are reset.
     

4. Save the Configuration:
   

   • After changing the setting to 'No', click Save to apply the changes.
     

5. Test the Reverted Configuration:
   

   • Perform a password reset and verify that the user no longer receives a notification email.
     

References:

• Azure AD - Self-Service Password Reset (SSPR) Overview
  

• Azure AD - Configure Password Reset Notifications
  

• Azure AD Password Reset Configuration