lacework-global-505
1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes' (Manual)
Profile Applicability
• Level 1
Description
Ensure that all administrators are notified if any other administrator resets their password.
Rationale
Administrator accounts are sensitive. Any password reset activity notification, when sent to all administrators, ensures that all administrators can passively confirm if such a reset is a common pattern within their group. For example, if all administrators change their password every 30 days, any password reset activity before that may require administrator(s) to evaluate any unusual activity and confirm its origin.
Impact
All other Admins will receive a notification from Azure every time a password is reset. This is useful for auditing procedures to confirm that there are no out of the ordinary password resets for Admins. There is additional overhead, however, in the time required for Admins to audit the notifications. This setting is only useful if all Admins pay attention to the notifications, and audit each one.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
Password reset
- Then
Notification
- Ensure that
notify all admins when other admins reset their password?
is set toYes
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
Password reset
- Then
Notification
- Set
Notify all admins when other admins reset their password?
toYes
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-1-protect-and-limit-highly-privileged-users
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations