Skip to main content

lacework-global-501

1.6 Ensure That 'Number of methods required to reset' is set to '2' (Manual)

Profile Applicability

• Level 1

Description

Ensures that two alternate forms of identification are provided before allowing a password reset.

Rationale

A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.

Impact

There may be administrative overhead, as users who lose access to their secondary authentication methods will need an administrator with permissions to remove it. There will also need to be organization-wide security policies and training to teach administrators to verify the identity of the requesting user so that social engineering can not render this setting useless.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Users
  4. Select Password reset
  5. Then Authentication methods
  6. Ensure that Number of methods required to reset is set to 2

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Users
  4. Select Password reset
  5. Then Authentication methods
  6. Set the Number of methods required to reset to 2

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-faq#password-reset-registration
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods