Skip to main content

lacework-global-505

1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual)

Profile Applicability

• Level 1

Description

Ensure that all administrators are notified if any other administrator resets their password.

Rationale

Administrator accounts are sensitive. Any password reset activity notification, when sent to all administrators, ensures that all administrators can passively confirm if such a reset is a common pattern within their group. For example, if all administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.

Impact

All other Admins will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Admins. There is additional overhead, however, in the time required for Admins to audit the notifications. This setting is only useful if all Admins pay attention to the notifications, and audit each one.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Users
  4. Select Password reset
  5. Then Notification
  6. Ensure that notify all admins when other admins reset their password? is set to Yes

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Then Users
  4. Select Password reset
  5. Then Notification
  6. Set Notify all admins when other admins reset their password? to Yes

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations