Ensure that two alternate forms of user identification are provided before allowing a password reset for your Microsoft Microsoft Entra ID. A user password can be successfully reset when at least the number of methods required for the password reset, configured in Microsoft Entra ID settings, is provided.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
Security Enabling dual identification before allowing a password reset in your Microsoft Entra ID account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Microsoft Entra ID user password.
Audit
To determine if at least two methods of identification are configured for Microsoft Entra ID user password reset, perform the following actions:
Note: Retrieving the number of methods required for Microsoft Entra ID user password reset using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
To configure the number of alternate methods of identification that Microsoft Entra ID users must have in order to reset their passwords, perform the following actions:
Note: Configuring the number of methods required for Microsoft Entra ID user password reset using Microsoft Graph API or Azure CLI is not currently supported.