|   Trend Micro Cloud One™
Open menu

Enable Notifications for Administrator Password Resets

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: High (should be achieved)
Rule ID: ActiveDirectory-008

Ensure that Active Directory global administrators receive emails on their primary email address notifying them when other administrators reset their password using the Azure AD Self-Service Password Reset (SSPR) portal. When "Notify all admins when other admins reset their password?" setting is set to "Yes", all AD administrators receive emails notifications alerting them that another administrator has changed their password via the SSPR.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When Azure Active Directory detects password reset activity for admin users, email notifications are sent to all administrators to make sure that these privileged users can passively confirm if such a reset is a common pattern within their group. For example, if your organization password policy requires to change all administrator passwords every 30 days, any password reset activity detected before that may require administrator(s) to evaluate it as unusual activity and confirm its origin in order to ensure that the reset action is authorized.

Audit

To determine if Active Directory (AD) administrators are notified on password resets, perform the following actions:

Note: Getting the email alert configuration for Active Directory admin password resets using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access Azure Active Directory password reset configuration settings.

05 In the navigation panel, select Notifications.

06 On the Notifications configuration panel, verify the Notify all admins when other admins reset their password? setting value. If this value is set to No, "Notify all admins when other admins reset their password" feature is not enabled, therefore Azure Active Directory admins do not receive email alerts when other administrators reset their own passwords.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To enable notification alerts for Active Directory (AD) administrator password resets, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access Azure Active Directory password reset configuration settings.

05 In the blade navigation panel, select Notifications.

06 On the Notifications configuration panel, select Yes under Notify all admins when other admins reset their password? to enable the feature.

07 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully". Once "Notify all admins when other admins reset their password" feature is enabled, all global administrators should receive email notifications when other administrators reset their own passwords using the Self-Service Password Reset (SSPR) portal. For example, if your Azure AD account has three administrators A, B and C, when admin A resets its password using the SSPR, admins B and C should receive an email alerting them of the password reset performed by admin A.

08 Repeat steps no. 3 – 7 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable email notifications for administrator password resets.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Notifications for Administrator Password Resets

Risk level: High