Enable Authentication Reconfirmation

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-006

Ensure that the number of days before Microsoft Azure Active Directory (AD) users are asked to re-confirm their authentication information is not set to 0 (zero) in order to enforce them to reconfirm their authentication details regularly.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The "Number of days before users are asked to re-confirm their authentication information" represents the period of time, up to a maximum of 730 days, before AD registered users are prompted to reconfirm their existing authentication details to make sure that these are still valid. If authentication reconfirmation is disabled, i.e. set to zero days, the Active Directory users will never be prompted to reconfirm their existing authentication information. If one or more authentication details set for an AD user changes, the password reset information for that user reverts to the previously registered authentication information.


Audit

To determine the number of days before users are asked to reconfirm their authentication details, perform the following actions:

Note: Verifying user authentication information reconfirmation configuration using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the blade navigation panel, select Registration.

06 On the Registration configuration page, check the value (integer) set for the Number of days before users are asked to re-confirm their authentication information setting. If the verified configuration value is 0, the authentication information reconfirmation for Active Directory users is not enabled within the AD password reset policy.

07 Repeat steps no. 3 – 6 for each Azure Active Directory that you want to examine.

Remediation / Resolution

To enforce authentication information reconfirmation for Microsoft Azure Active Directory users, perform the following actions:

Note: Enabling AD user authentication information reconfirmation using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users to access the panel with the AD users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the blade navigation panel, select Registration.

06 On the Registration settings page, enter the period of time (up to 730 days) before your AD registered users are prompted to reconfirm their existing authentication in the Number of days before users are asked to re-confirm their authentication information box.

07 Click Save to apply the configuration changes. Once the changes are saved, the following message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully".

08 Click Save to apply the configuration changes. If successful, the following confirmation message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully".

09 Repeat steps no. 3 – 7 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable user authentication information reconfirmation.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Authentication Reconfirmation

Risk level: Medium