Ensure that two alternate forms of user identification are provided before allowing a password reset for your Microsoft Azure Active Directory (AD). A user password can be successfully reset when at least the number of methods required for the password reset, configured in Azure Active Directory settings, is provided.
This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure
Security Enabling dual identification before allowing a password reset in your Azure Active Directory account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Azure AD user password.
Audit
To determine if at least two methods of identification are configured for Azure AD user password reset, perform the following actions:
Note: Retrieving the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.Remediation / Resolution
To configure the number of alternate methods of identification that Azure Active Directory (AD) users must have in order to reset their passwords, perform the following actions:
Note: Configuring the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.References
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
You are auditing:
Enable Dual Identification for Password Reset
Risk level: Medium