6.9 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'

Information

Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0.

This setting is necessary if 'Require users to register when signing in' is enabled. If authentication re-confirmation is disabled, registered users will never be prompted to re-confirm their existing authentication information. If the authentication information for a user changes, such as a phone number or email, then the password reset information for that user reverts to the previously registered authentication information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal

- From Azure Home select the Portal Menu.
- Select Microsoft Entra ID
- Under Manage select Users
- Select Password reset
- Under Manage select Registration
- Set the Number of days before users are asked to re-confirm their authentication information to your organization-defined frequency.
- Click Save

Impact:

Users will be prompted to re-confirm their authentication information after the number of days specified.

See Also

https://workbench.cisecurity.org/benchmarks/19304