lacework-global-503
1.8 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' (Manual)
Profile Applicability
• Level 1
Description
Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.
Rationale
This setting is necessary if you have setup 'Require users to register when signing in option'. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.
Impact
Users will be prompted for their multifactor authentication at the duration set here.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
Password reset
- Then
Registration
- Ensure that
Number of days before users are asked to re-confirm their authentication information
is not set to0
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
Password reset
- Then
Registration
- Set the
Number of days before users are asked to re-confirm their authentication information
to your organization-defined frequency.
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#registration
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods