Control: 1.5 Ensure that 'Number of methods required to reset' is set to '2'
Description
Ensure that two alternate forms of identification are provided before allowing a password reset.
Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.
Remediation
From Console
- Log in to Azure Active Directory
- Go to
Users
- Go to
Password reset
in side bar - Go to
Authentication methods
in side bar - Set the
Number of methods required to reset
to 2
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_1_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_1_5 --share
SQL
This control uses a named query:
ad_manual_control