Information
Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.
This setting is necessary if 'Require users to register when signing in' is enabled. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Remediate from Azure Portal
- From Azure Home select the Portal Menu.
- Select Microsoft Entra ID
- Under Manage select Users
- Select Password reset
- Under Manage select Registration
- Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency.
- Click Save
Impact:
Users will be prompted to re-confirm their authentication information after the number of days specified.