1.5 Ensure that 'Number of methods required to reset' is set to '2'

Information

Ensure that two alternate forms of identification are provided before allowing a password reset.

Rationale:

Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Console

Go to Azure Active Directory

Go to Users

Go to Password reset

Go to Authentication methods

Set the Number of methods required to reset to 2



Default Value:

By default, the 'Number of methods required to reset' is set to '2'.

See Also

https://workbench.cisecurity.org/files/3459

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: e636a07df471e172d1b1b4245f950bc2cede827a1c9d03f8b584cc05765d66e0