Detections
Analytics

Ensure `force_password_change` is set to true for AzureAD User

HIGH

Description

Active Directory administrators have the ability to require a user to reset their password in the event of a security situation, such as lost or stolen credentials, or if the user was recently added to Active Directory. Requiring a reset on the next login is considered good practice in these events.

Remediation

Forcing a password reset is not a function of Azure AD directly, however it is available in a B2C workflow. To learn more about how to use B2C to force password changes, see the Azure documentation (below).

In Terraform -

  1. In the azuread_user resource, set force_password_change to true.

References:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/force-password-reset?pivots=b2c-user-flow
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/user#force_password_change

Policy Details

Rule Reference ID: AC_AZURE_0540
CSP: Azure
Remediation Available: Yes
Domain: Identity and Access Management
Resource: azuread_user
Resource Category: Identity and Access Management (IAM)
Resource Type: AzureAD

Frameworks