turbot/azure_compliance

Control: 1.5 Ensure that 'Number of methods required to reset' is set to '2'

Description

Ensure that two alternate forms of identification are provided before allowing a password reset.

Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.

Remediation

From Console

  1. Log in to Azure Active Directory
  2. Go to Users
  3. Go to Password reset in side bar
  4. Go to Authentication methods in side bar
  5. Set the Number of methods required to reset to 2

Usage

steampipe check azure_compliance.control.cis_v130_1_5

SQL

This control uses a named query:

ad_manual_control

Tags