Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Number Of Methods Required To Reset Password

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ActiveDirectory-005

Ensure that two alternate forms of user identification are provided before allowing a password reset for your Microsoft Microsoft Entra ID. A user password can be successfully reset when at least the number of methods required for the password reset, configured in Microsoft Entra ID settings, is provided.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling dual identification before allowing a password reset in your Microsoft Entra ID account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Microsoft Entra ID user password.

Audit

To determine if at least two methods of identification are configured for Microsoft Entra ID user password reset, perform the following actions:

Note: Retrieving the number of methods required for Microsoft Entra ID user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Microsoft Entra ID users.

05 In the navigation panel, select Authentication methods.

06 On the Authentication methods settings page, check the Number of methods required to reset configuration value. If this value is not set to 2, the number of methods required for user password reset is not compliant, therefore dual identification for password reset is not enabled for your Microsoft Microsoft Entra ID users.

07 Repeat steps no. 3 – 6 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

To configure the number of alternate methods of identification that Microsoft Entra ID users must have in order to reset their passwords, perform the following actions:

Note: Configuring the number of methods required for Microsoft Entra ID user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Microsoft Entra ID users.

05 In the blade navigation panel, select Authentication methods.

06 On the Authentication methods configuration page, select 2 for Number of methods required to reset setting, to enable users to choose at least two methods of identification required for password reset.

07 For Methods available to users, select at least two identification methods (e.g. Email and Mobile phone (SMS only)) as alternate methods of user identification necessary during password reset.

08 Click Save to apply the configuration changes. If successful, the following confirmation message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully".

09 Repeat steps no. 3 – 8 for each Microsoft Microsoft Entra ID that you want to reconfigure in order to enable dual identification for user password reset.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules