Control: 5.2.4.1 Ensure 'Self service password reset enabled' is set to 'All'
Description
Enabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed
Note: Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default.
Remediation
To remediate using the UI:
- Navigate to
Microsoft Entra admin centerhttps://entra.microsoft.com/. - Click to expand
Protection>Password resetselectProperties. - Set
Self service password reset enabledtoAll.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_4_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v500_5_2_4_1 --shareSQL
This control uses a named query:
select tenant_id || '/' || id as resource, case when allowed_to_use_sspr then 'ok' else 'alarm' end as status, case when allowed_to_use_sspr then tenant_id || ' has self-service password reset enabled.' else tenant_id || ' has self-service password reset disabled.' end as reason , tenant_id as tenant_idfrom azuread_authorization_policy;