v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub

Control: 5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All'

Description

Enabling self-service password reset allows users to reset their own passwords in Azure AD. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed.

Note: Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Azure AD tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.

Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.

Remediation

To enable self-service password reset:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection > Password reset select Properties.
  3. Set Self service password reset enabled to All.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_4_1 --share

SQL

This control uses a named query:

azuread_user_sspr_enabled

Tags

category = Compliance
cis = true
cis_item_id = 5.2.4.1
cis_level = 1
cis_section_id = 5.2.4
cis_type = manual
cis_version = v3.0.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory