Ensure that Active Directory global administrators receive emails on their primary email address notifying them when other administrators reset their password using the Azure AD Self-Service Password Reset (SSPR) portal. When "Notify all admins when other admins reset their password?" setting is set to "Yes", all AD administrators receive emails notifications alerting them that another administrator has changed their password via the SSPR.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
When Azure Active Directory detects password reset activity for admin users, email notifications are sent to all administrators to make sure that these privileged users can passively confirm if such a reset is a common pattern within their group. For example, if your organization password policy requires to change all administrator passwords every 30 days, any password reset activity detected before that may require administrator(s) to evaluate it as unusual activity and confirm its origin in order to ensure that the reset action is authorized.
To determine if Active Directory (AD) administrators are notified on password resets, perform the following actions:Note: Getting the email alert configuration for Active Directory admin password resets using Microsoft Graph API or Azure CLI is not currently supported.
Remediation / Resolution
To enable notification alerts for Active Directory (AD) administrator password resets, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Enable Notifications for Administrator Password Resets
Risk level: High