Information
Ensure that two alternate forms of identification are provided before allowing a password reset.
Rationale:
Like multi-factor authentication, setting up dual identification before allowing a password reset ensures that the user identity is confirmed via two separate forms of identification. With dual identification set, an attacker would require compromising both the identity forms before he/she could maliciously reset a user's password.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From Azure Console
Go to Azure Active Directory
Go to Users
Go to Password reset
Go to Authentication methods
Set the Number of methods required to reset to 2
Default Value:
By default, the 'Number of methods required to reset' is set to '2'.