lacework-global-504
Set 'Notify users on password resets?' to 'Yes' (Manual)
Profile Applicability
• Level 1
Description
Notify users on their primary and secondary emails on password resets.
Rationale
User notification on password reset is a passive way of confirming password reset activity. It helps the user to recognize unauthorized password reset activities.
Impact
Users will receive emails alerting them to password changes to both their primary and secondary emails.
Audit
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Select
Users
- Go to
Password reset
- Go to
Notification
- Ensure that
Notify users on password resets?
is set toYes
Please note that at this point of time, there is no API/CLI mechanism available to programmatically conduct security assessment for this recommendation.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu.
- Select
Azure Active Directory
. - Select
Users
. - Select
Password reset
. - Select
Notifications
. - Set
Notify users on password resets?
toYes
.
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
References
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr#set-up-notifications-and-customizations
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-6-define-identity-and-privileged-access-strategy