|   Trend Micro Cloud One™
Open menu

Enable Dual Identification for Password Reset

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-005

Ensure that two alternate forms of user identification are provided before allowing a password reset for your Microsoft Azure Active Directory (AD). A user password can be successfully reset when at least the number of methods required for the password reset, configured in Azure Active Directory settings, is provided.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling dual identification before allowing a password reset in your Azure Active Directory account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Azure AD user password.

Audit

To determine if at least two methods of identification are configured for Azure AD user password reset, perform the following actions:

Note: Retrieving the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the navigation panel, select Authentication methods.

06 On the Authentication methods settings page, check the Number of methods required to reset configuration value. If this value is not set to 2, the number of methods required for user password reset is not compliant, therefore dual identification for password reset is not enabled for your Microsoft Azure Active Directory users.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To configure the number of alternate methods of identification that Azure Active Directory (AD) users must have in order to reset their passwords, perform the following actions:

Note: Configuring the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the blade navigation panel, select Authentication methods.

06 On the Authentication methods configuration page, select 2 for Number of methods required to reset setting, to enable users to choose at least two methods of identification required for password reset.

07 For Methods available to users, select at least two identification methods (e.g. Email and Mobile phone (SMS only)) as alternate methods of user identification necessary during password reset.

08 Click Save to apply the configuration changes. If successful, the following confirmation message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully".

09 Repeat steps no. 3 – 8 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable dual identification for user password reset.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Enable Dual Identification for Password Reset

Risk level: Medium