Logo of Trend Micro

Enable Notifications for User Password Resets

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-007

Ensure that Active Directory users receive emails on their primary and alternate email addresses notifying them when their own password has been reset through the Azure AD Self-Service Password Reset (SSPR) portal.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Email notifications for Azure AD user password reset represents a passive way of confirming password reset activity. This method helps you and other users within your organization to recognize unauthorized password resets. Once "Notify users on password resets" feature is enabled, all Active Directory users that are resetting their password receive an email notifying them that their password has been changed.

Audit

To determine if "Notify users on password resets" feature is enabled in the Active Directory SSPR portal, perform the following actions:

Note: Retrieving email notifications configuration for Active Directory user password resets using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access Azure Active Directory password reset configuration settings.

05 In the blade navigation panel, select Notifications.

06 On the Notifications configuration panel, check the Notify users on password resets? setting value. If this value is set to No, "Notify users on password resets" feature is not currently enabled, thus Azure Active Directory (AD) users do not receive email notifications for their password reset activity.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To enable email notifications for Active Directory (AD) user password resets using the Azure Self-Service Password Reset (SSPR) portal, perform the following actions:

Note: Enabling notification alerts for AD user password resets using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access Azure Active Directory password reset configuration settings.

05 In the navigation panel, select Notifications.

06 On the Notifications configuration panel, select Yes under Notify users on password resets? to enable the feature.

07 Click Save to apply the configuration changes. Once saved, the following message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully". With "Notify users on password resets" feature enabled, an email is sent via the SSPR portal to your defined primary and secondary email addresses for each password reset.

08 Repeat steps no. 3 – 7 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable email notifications for user password resets.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Notifications for User Password Resets

Risk level: Medium