lacework-global-504
1.9 Ensure that 'Notify users on password resets?' is set to 'Yes' (Manual)
Profile Applicability
• Level 1
Description
Ensure that users are notified on their primary and secondary emails on password resets.
Rationale
User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.
Impact
Users will receive emails alerting them to password changes to both their primary and secondary emails.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Select
Users
- Go to
Password reset
- Go to
Notification
- Ensure that
Notify users on password resets?
is set toYes
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Select
Users
- Select
Password reset
- Select
Notification
- Set
Notify users on password resets?
toYes
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy