Control: 1.1.4 Ensure self-service password reset is enabled
Description
Enabling self-service password reset allows users to reset their own passwords in Azure AD. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default.
Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Combined registration should be enabled if not already, as of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication.
Remediation
To enable self-service password reset, use the Microsoft 365 Admin Center:
- Under
Admin centerschooseAzure Active Directory. - Choose
Usersfrom the left hand navigation. - Choose
Password reset. - On the Properties page, select
AllunderSelf service password reset enabled. - Select
Save.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v140_1_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v140_1_1_4 --shareSQL
This control uses a named query:
azuread_user_sspr_enabled