iCompaas Support

Description:

The 'Notify all admins when other admins reset their password?' setting in Microsoft Entra ID (formerly Azure Active Directory) ensures that all administrator accounts are notified whenever another administrator's password is reset. This setting is crucial for maintaining oversight and accountability within your organization's admin accounts. By enabling this feature, administrators will receive notifications when their colleagues' passwords are reset, providing an additional layer of visibility and helping to detect any unauthorized or suspicious password changes.

This feature is important for ensuring that all admin-level actions are transparent and auditable, which is especially important in larger organizations or those with strict compliance requirements.

Rationale:

Enabling notifications for admin password resets:

• Enhances security by providing transparency and alerting all administrators about password resets, ensuring that no admin account is reset without oversight.
  

• Detects unauthorized activity: If a password reset is performed on an admin account without proper justification, this notification helps administrators quickly spot potential unauthorized changes.
  

• Supports auditing and accountability: Ensures that all admin password resets are tracked, making it easier to maintain an audit trail for security and compliance purposes.
  

Impact:

Setting 'Notify all admins when other admins reset their password?' to 'Yes':

• Improves visibility and transparency by ensuring that all admins are notified whenever another admin’s password is reset.
  

• Increases awareness of changes to privileged accounts, which could prevent potential unauthorized access or actions.
  

• Requires more administrative attention, as all admin users will receive notifications for admin password resets, which could lead to more alerts being generated.
  

Default Value:

By default, Microsoft Entra ID may not send notifications to admins when other admin passwords are reset. The setting needs to be manually configured to ensure admins are notified.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator role permissions to configure password reset settings.
  

• Admin accounts that are subject to password reset notifications.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Security > Authentication methods > Password reset.
   

3. Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Password Reset Settings:
   

   • Under Security, select Authentication methods.
     

   • In the Authentication methods pane, select Password reset.
     

4. Enable Admin Password Reset Notifications:
   

   • In the Password reset pane, locate the option 'Notify all admins when other admins reset their password?'.
     

   • Set this option to 'Yes' to ensure that all administrators are notified whenever another admin password is reset.
     

5. Save the Configuration:
   

   • After setting the option to 'Yes', click Save to apply the changes.
     

6. Verify the Setting:
   

   • After saving the configuration, perform a password reset on an admin account and verify that other admin accounts receive the notification email about the password reset.
     

7. Test the Notification:
   

   • Test by resetting the password of a test admin account and ensuring that all other admin users receive a notification email. Verify that the email contains relevant information about the password reset event.
     

8. Communicate the Policy to Administrators:
   

   • Inform all admin users about the new policy, ensuring they understand that they will be notified whenever an admin password is reset.
     

9. Monitor and Review:
   

   • Use Azure AD logs to monitor the admin password reset notifications and ensure that alerts are being triggered correctly.
     

   • Set up Azure Monitor alerts for password reset events to track and manage admin account changes.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Security > Authentication methods > Password reset.
     

3. Disable Admin Password Reset Notifications:
   

   • In the Password reset settings, change 'Notify all admins when other admins reset their password?' to 'No'.
     

4. Save the Configuration:
   

   • Click Save to apply the changes and stop the notifications from being sent.
     

5. Test the Reverted Configuration:
   

   • Perform a password reset for an admin account and ensure that no notifications are sent to other admins.
     

References:

• Azure AD - Self-Service Password Reset (SSPR) Overview
  

• Azure AD - Configure Password Reset Notifications
  Azure AD Password Reset Configuration