5.2.4.2 Ensure the self-service password reset activity report is reviewed at least weekly

Information

The Microsoft 365 platform allows users to reset their password in the event they forget it. The self-service password reset activity report logs each time a user successfully resets their password this way. The self-service password reset activity report should be reviewed at least weekly.

Rationale:

An attacker will commonly compromise an account, then change the password to something they control and can manage.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the self-service password reset activity report:

Navigate to Microsoft Entra admin center https://entra.microsoft.com/.

Click to expand Protection > Password reset select Audit logs.

Review the list of users who have reset their passwords by setting the Date to Last 7 days and Service to Self-service Password Management

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: a3e9c5d8bfdce870a0e15f5861b4fae07044ba8347cda7851265518d391c1d9e