rules/findings/EntraID/SSPR/CIS3.1/eid-sspr-enabled-set-to-all.json
|
{
"args": [ ], "provider": "EntraID", "serviceType": "Identity Protection", "serviceName": "Microsoft Entra ID", "displayName": "Ensure \u0027Self service password reset enabled\u0027 is set to \u0027All\u0027", "description": "\r\n\t\tEnabling self-service password reset allows users to reset their own passwords in Entra ID. When users sign in to Microsoft 365, they will be prompted to enter additional contact information that will help them reset their password in the future. If combined registration is enabled additional information, outside of multi-factor, will not be needed. \r\n\t\t**NOTE** : Effective Oct. 1st, 2022, Microsoft will begin to enable combined registration for all users in Entra ID tenants created before August 15th, 2020. Tenants created after this date are enabled with combined registration by default. \r\n ", "rationale": "Users will no longer need to engage the helpdesk for password resets, and the password reset mechanism will automatically block common, easily guessable passwords.", "impact": "\r\n\t\tUsers will be required to provide additional contact information to enroll in self-service password reset. Additionally, minor user education may be required for users that are used to calling a help desk for assistance with password resets. \r\n\t\t**NOTE** : This is unavailable if using Entra Connect / Sync in a hybrid environment.\r\n ", "remediation": { "text": "\r\n\t\t\t###### To enable self-service password reset: \r\n\t\t\t1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/. \r\n\t\t\t2. Click to expand Protection \u003e Password reset select Properties. \r\n\t\t\t3. Set Self service password reset enabled to All\r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-how-it-works#notifications", "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-deployment", "https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "3.1.0", "reference": "5.2.4.1", "profile": "E3 Level 1" } ], "level": "medium", "tags": [ ], "rule": { "path": "", "subPath": null, "selectCondition": { }, "query": [ ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { }, "expandObject": null }, "table": null, "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "isManual": false, "showGoToButton": false, "showModalButton": false, "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure \u0027Self service password reset enabled\u0027 is set to \u0027All\u0027", "defaultMessage": null }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "eid_sspr_disabled_not_enabled_all", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "entraid_1167" } |