Enable Dual Identification for Password Reset

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ActiveDirectory-005

Ensure that two alternate forms of user identification are provided before allowing a password reset for your Microsoft Azure Active Directory (AD). A user password can be successfully reset when at least the number of methods required for the password reset, configured in Azure Active Directory settings, is provided.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Enabling dual identification before allowing a password reset in your Azure Active Directory account enhances access security by ensuring that the user identity is confirmed by two separate forms of identification such as email and SMS. When the number of methods required to reset a user password is set to 2 (two), an attacker would need to compromise both the identity forms configured, before he or she could maliciously reset an Azure AD user password.


Audit

To determine if at least two methods of identification are configured for Azure AD user password reset, perform the following actions:

Note: Retrieving the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the navigation panel, select Authentication methods.

06 On the Authentication methods settings page, check the Number of methods required to reset configuration value. If this value is not set to 2, the number of methods required for user password reset is not compliant, therefore dual identification for password reset is not enabled for your Microsoft Azure Active Directory users.

07 Repeat steps no. 3 – 6 for each Microsoft Azure Active Directory that you want to examine.

Remediation / Resolution

To configure the number of alternate methods of identification that Azure Active Directory (AD) users must have in order to reset their passwords, perform the following actions:

Note: Configuring the number of methods required for Active Directory user password reset using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Active Directory (AD) blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select Password reset to access the password reset configuration settings available for Active Directory users.

05 In the blade navigation panel, select Authentication methods.

06 On the Authentication methods configuration page, select 2 for Number of methods required to reset setting, to enable users to choose at least two methods of identification required for password reset.

07 For Methods available to users, select at least two identification methods (e.g. Email and Mobile phone (SMS only)) as alternate methods of user identification necessary during password reset.

08 Click Save to apply the configuration changes. If successful, the following confirmation message should be displayed: "Password reset policy saved. Changes to password reset policy were saved successfully".

09 Repeat steps no. 3 – 8 for each Microsoft Azure Active Directory that you want to reconfigure in order to enable dual identification for user password reset.

References

Publication date Aug 30, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Dual Identification for Password Reset

Risk level: Medium