Ensure That 'Number of methods required to reset' is set to '2'

Ensures that two alternate forms of identification are provided before allowing a password reset.

Suggest Edits

Risk Level: Low
Cloud Entity: Azure Active Directory
CloudGuard Rule ID: D9.AZU.IAM.45
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

User should have userCredentialRegistrationDetails.selfServicePasswordResetAuthMethods.length() >1

REMEDIATION

From Portal:

  1. Go to Azure Active Directory.
  2. Go to Users.
  3. Select Password reset.
  4. Then Authentication methods.
  5. Set the Number of methods required to reset to '2'.

Note: By default, the Number of methods required to reset is set to 2. Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.

References:

  1. https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr
  2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-use-strong-authentication-controls-for-all-azure-active-directory-based-access
  3. https://workbench.cisecurity.org/sections/1460901/recommendations/2349024

Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft���s cloud-based identity and access management service, which helps your employees sign in and access resources in external resources and internal res

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset

Updated 7 months ago