v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 1.1.4 Ensure self-service password reset is enabled

Description

Enabling self-service password reset allows users to reset their own passwords in Azure AD. When your users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. As of August 2020 combined registration is enabled by default.

Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords. Combined registration should be enabled if not already, as of August of 2020 combined registration is automatic for new tenants therefor users will not need to register for password reset separately from multi-factor authentication.

Remediation

To enable self-service password reset, use the Microsoft 365 Admin Center:

  1. Under Admin centers choose Azure Active Directory.
  2. Choose Users from the left hand navigation.
  3. Choose Password reset.
  4. On the Properties page, select All under Self service password reset enabled.
  5. Select Save.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_1_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_4 --share

SQL

This control uses a named query:

azuread_user_sspr_enabled

Tags

category = Compliance
cis = true
cis_item_id = 1.1.4
cis_level = 1
cis_section_id = 1.1
cis_type = manual
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory