5.5 Ensure the self-service password reset activity report is reviewed at least weekly

Information

The Microsoft 365 platforms allow a user to reset their password in the event they forget it. The self-service password reset activity report logs each time a user successfully resets their password this way. You should review the self-service password reset activity report at least weekly.

Rationale:

An attacker will commonly compromise an account, then change the password to something they control and can manage.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report, perform the following steps using the Azure Portal:

Go to portal.azure.com.

Go to 'Azure Active Directory'.

Click on 'Usage & insights' under 'Monitoring'.

Select 'Authentication methods activity' and the 'Usage' tab.

Review the list of users who have reset their passwords in the last seven days by clicking 'Self-service password resets and account unlocks by method'.

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: a543f749b8919e089f89757e17d6f268c3df0e32c99fe52f2c01be0959bce0e1