v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/azure_compliance
Overview
13Dashboards
1311Controls
430Queries
2Variables
GitHub

Control: 1.5 Ensure that 'Number of methods required to reset' is set to '2'

Description

Ensure that two alternate forms of identification are provided before allowing a password reset.

Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.

Remediation

From Console

  1. Log in to Azure Active Directory
  2. Go to Users
  3. Go to Password reset in side bar
  4. Go to Authentication methods in side bar
  5. Set the Number of methods required to reset to 2

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v140_1_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v140_1_5 --share

SQL

This control uses a named query:

ad_manual_control

Tags

category = Compliance
cis = true
cis_item_id = 1.5
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v1.4.0
plugin = azure
service = Azure/ActiveDirectory