Skip to main content

lacework-global-504

Set 'Notify users on password resets?' to 'Yes' (Manual)

Profile Applicability

• Level 1

Description

Notify users on their primary and secondary emails on password resets.

Rationale

User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.

Impact

Users will receive emails alerting them to password changes to both their primary and secondary emails.

Audit

From Azure Portal

  1. From Azure Home select the Portal Menu
  2. Select Azure Active Directory
  3. Select Users
  4. Go to Password reset
  5. Go to Notification
  6. Ensure that Notify users on password resets? is set to Yes

Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Azure Active Directory.
  3. Select Users.
  4. Select Password reset.
  5. Select Notifications.
  6. Set Notify users on password resets? to Yes.

Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy