Control: 1.6 Ensure That 'Number of methods required to reset' is set to '2'
Description
Ensures that two alternate forms of identification are provided before allowing a password reset.
A Self-service Password Reset (SSPR) through Azure Multi-factor Authentication (MFA) ensures the user's identity is confirmed using two separate methods of identification. With multiple methods set, an attacker would have to compromise both methods before they could maliciously reset a user's password.
Remediation
From Azure Portal
- From Azure Home select the Portal Menu
- Select
Azure Active Directory
- Then
Users
- Select
Password reset
- Then
Authentication methods
- Set the
Number of methods required to reset
to2
Please note that at this point of time, there is no Azure CLI or other API commands available to programmatically conduct security configuration for this recommendation.
Default Value
By default, the Number of methods required to reset
is set to "2".
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v150_1_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v150_1_6 --share
SQL
This control uses a named query:
ad_manual_control