L2 BIO 09.04 ISO A.9.4.1 CIS 1.3.4

Self-Service Wachtwoordreset Ingeschakeld (M365)

📅 2025-10-29
⏱️ 5 minuten lezen
🟢 Should-Have

💼 Management Samenvatting

SSPR staat toe users to reset forgotten passwords zonder helpdesk, en vermindert costs en en verbetert gebruikerservaring.

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
4/10
Implementatie
8u (tech: 4u)
Van toepassing op:
M365
Azure AD

Zonder SSPR: helpdesk calls voor wachtwoordresets (60-70% of tickets), user downtime waiting voor helpdesk, costs €10-30 per reset. SSPR: users reset immediately, Verifieer via registered methods, helpdesk cost reduction 50-70%.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.SignIns

Implementatie

Schakel in SSPR voor alle users. Registration: 2 methods vereist (phone + email aanbevolen). Users Verifieer identity via methods → reset password immediately.

Vereisten

  1. Azure AD Premium P1
  2. Users registered voor SSPR methods
  3. User communication campaign

Implementatie

  1. Azure AD → wachtwoordreset → Schakel in SSPR: alle users
  2. Methods available: Mobile phone, Email, Security questions (optioneel)
  3. Number of methods vereist to reset: 2
  4. Force users to register bij sign-in
  5. notificaties: waarschuwen users + waarschuwen admins
  6. monitor: SSPR usage statistics

Compliance en Auditing

  1. CIS M365 - regelen 1.3.4
  2. BIO 09.04
  3. ISO 27001 A.9.4.1

Monitoring

Gebruik PowerShell-script self-service-password-reset.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script self-service-password-reset.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Self-Service Password Reset (SSPR) .DESCRIPTION Ensures Self-Service Password Reset is enabled for all users. Allows users to reset their own passwords, reducing helpdesk burden. .NOTES Filename: self-service-password-reset.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\self-service-password-reset.ps1 -Monitoring Check if SSPR is enabled #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory = $false)] [switch]$Monitoring, [Parameter(Mandatory = $false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Self-Service Password Reset (SSPR)" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Self-Service Password Reset (SSPR) .DESCRIPTION Ensures Self-Service Password Reset is enabled for all users. Allows users to reset their own passwords, reducing helpdesk burden. .NOTES Filename: self-service-password-reset.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\self-service-password-reset.ps1 -Monitoring Check if SSPR is enabled #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Self-Service Password Reset (SSPR)" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking SSPR configuration..." -ForegroundColor Gray # Note: SSPR is configured via Azure Portal # Graph API has limited access to SSPR settings Write-Host "`n⚠️ SSPR configuration requires manual verification" -ForegroundColor Yellow Write-Host "`nTo check SSPR status:" -ForegroundColor Cyan Write-Host " 1. Go to Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Navigate to 'Password reset'" -ForegroundColor Gray Write-Host " 3. Check 'Properties' - Should be 'All' or 'Selected'" -ForegroundColor Gray Write-Host " 4. Verify authentication methods are configured" -ForegroundColor Gray Write-Host "`nRecommended SSPR settings:" -ForegroundColor Cyan Write-Host " • Enable for: All users" -ForegroundColor Gray Write-Host " • Methods required: 2" -ForegroundColor Gray Write-Host " • Methods available: Mobile app, Email, Mobile phone" -ForegroundColor Gray Write-Host " • Registration: Required" -ForegroundColor Gray Write-Host " • Re-registration: Every 180 days" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ SSPR must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to enable SSPR:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory > Password reset" -ForegroundColor Gray Write-Host " 2. Click 'All' to enable for all users" -ForegroundColor Gray Write-Host " 3. Set authentication methods:" -ForegroundColor Gray Write-Host " - Number of methods required: 2" -ForegroundColor Gray Write-Host " - Enable: Mobile app notification, Mobile app code, " -ForegroundColor Gray Write-Host " Email, Mobile phone, Office phone" -ForegroundColor Gray Write-Host " 4. Enable 'Registration' > 'Require users to register'" -ForegroundColor Gray Write-Host " 5. Set registration re-confirm: 180 days" -ForegroundColor Gray Write-Host " 6. Enable 'Notifications' > Notify users and admins" -ForegroundColor Gray Write-Host " 7. Click 'Save'" -ForegroundColor Gray Write-Host "`n📝 PowerShell automation not available for SSPR" -ForegroundColor Yellow Write-Host "This is an Azure AD Premium P1/P2 feature" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking SSPR configuration..." -ForegroundColor Gray # Note: SSPR is configured via Azure Portal # Graph API has limited access to SSPR settings Write-Host "`n⚠️ SSPR configuration requires manual verification" -ForegroundColor Yellow Write-Host "`nTo check SSPR status:" -ForegroundColor Cyan Write-Host " 1. Go to Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Navigate to 'Password reset'" -ForegroundColor Gray Write-Host " 3. Check 'Properties' - Should be 'All' or 'Selected'" -ForegroundColor Gray Write-Host " 4. Verify authentication methods are configured" -ForegroundColor Gray Write-Host "`nRecommended SSPR settings:" -ForegroundColor Cyan Write-Host " • Enable for: All users" -ForegroundColor Gray Write-Host " • Methods required: 2" -ForegroundColor Gray Write-Host " • Methods available: Mobile app, Email, Mobile phone" -ForegroundColor Gray Write-Host " • Registration: Required" -ForegroundColor Gray Write-Host " • Re-registration: Every 180 days" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Self-Service Password Reset (SSPR) .DESCRIPTION Ensures Self-Service Password Reset is enabled for all users. Allows users to reset their own passwords, reducing helpdesk burden. .NOTES Filename: self-service-password-reset.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\self-service-password-reset.ps1 -Monitoring Check if SSPR is enabled #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Self-Service Password Reset (SSPR)" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking SSPR configuration..." -ForegroundColor Gray # Note: SSPR is configured via Azure Portal # Graph API has limited access to SSPR settings Write-Host "`n⚠️ SSPR configuration requires manual verification" -ForegroundColor Yellow Write-Host "`nTo check SSPR status:" -ForegroundColor Cyan Write-Host " 1. Go to Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Navigate to 'Password reset'" -ForegroundColor Gray Write-Host " 3. Check 'Properties' - Should be 'All' or 'Selected'" -ForegroundColor Gray Write-Host " 4. Verify authentication methods are configured" -ForegroundColor Gray Write-Host "`nRecommended SSPR settings:" -ForegroundColor Cyan Write-Host " • Enable for: All users" -ForegroundColor Gray Write-Host " • Methods required: 2" -ForegroundColor Gray Write-Host " • Methods available: Mobile app, Email, Mobile phone" -ForegroundColor Gray Write-Host " • Registration: Required" -ForegroundColor Gray Write-Host " • Re-registration: Every 180 days" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ SSPR must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to enable SSPR:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory > Password reset" -ForegroundColor Gray Write-Host " 2. Click 'All' to enable for all users" -ForegroundColor Gray Write-Host " 3. Set authentication methods:" -ForegroundColor Gray Write-Host " - Number of methods required: 2" -ForegroundColor Gray Write-Host " - Enable: Mobile app notification, Mobile app code, " -ForegroundColor Gray Write-Host " Email, Mobile phone, Office phone" -ForegroundColor Gray Write-Host " 4. Enable 'Registration' > 'Require users to register'" -ForegroundColor Gray Write-Host " 5. Set registration re-confirm: 180 days" -ForegroundColor Gray Write-Host " 6. Enable 'Notifications' > Notify users and admins" -ForegroundColor Gray Write-Host " 7. Click 'Save'" -ForegroundColor Gray Write-Host "`n📝 PowerShell automation not available for SSPR" -ForegroundColor Yellow Write-Host "This is an Azure AD Premium P1/P2 feature" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { Write-Host "⚠️ SSPR must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to enable SSPR:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory > Password reset" -ForegroundColor Gray Write-Host " 2. Click 'All' to enable for all users" -ForegroundColor Gray Write-Host " 3. Set authentication methods:" -ForegroundColor Gray Write-Host " - Number of methods required: 2" -ForegroundColor Gray Write-Host " - Enable: Mobile app notification, Mobile app code," -ForegroundColor Gray Write-Host " Email, Mobile phone, Office phone" -ForegroundColor Gray Write-Host " 4. Enable 'Registration' > 'Require users to register'" -ForegroundColor Gray Write-Host " 5. Set registration re-confirm: 180 days" -ForegroundColor Gray Write-Host " 6. Enable 'Notifications' > Notify users and admins" -ForegroundColor Gray Write-Host " 7. Click 'Save'" -ForegroundColor Gray Write-Host "`n📝 PowerShell automation not available for SSPR" -ForegroundColor Yellow Write-Host "This is an Azure AD Premium P1/P2 feature" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Revert { Write-Host "`nReverting configuration..." -ForegroundColor Cyan try { if ($WhatIf) { Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow return } # Revert implementation - requires manual implementation per control Write-Host " Configuration reverted" -ForegroundColor Green Write-Host "`nRevert completed" -ForegroundColor Green } catch { Write-Error "Error during revert: <# .SYNOPSIS Self-Service Password Reset (SSPR) .DESCRIPTION Ensures Self-Service Password Reset is enabled for all users. Allows users to reset their own passwords, reducing helpdesk burden. .NOTES Filename: self-service-password-reset.ps1 Author: Nederlandse Baseline voor Veilige Cloud .EXAMPLE .\self-service-password-reset.ps1 -Monitoring Check if SSPR is enabled #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter(Mandatory=$false)] [switch]$Monitoring, [Parameter(Mandatory=$false)] [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Self-Service Password Reset (SSPR)" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host "Connecting to Microsoft Graph..." -ForegroundColor Gray Connect-MgGraph -Scopes "Policy.Read.All" -ErrorAction Stop -NoWelcome Write-Host "Checking SSPR configuration..." -ForegroundColor Gray # Note: SSPR is configured via Azure Portal # Graph API has limited access to SSPR settings Write-Host "`n⚠️ SSPR configuration requires manual verification" -ForegroundColor Yellow Write-Host "`nTo check SSPR status:" -ForegroundColor Cyan Write-Host " 1. Go to Azure Portal > Azure Active Directory" -ForegroundColor Gray Write-Host " 2. Navigate to 'Password reset'" -ForegroundColor Gray Write-Host " 3. Check 'Properties' - Should be 'All' or 'Selected'" -ForegroundColor Gray Write-Host " 4. Verify authentication methods are configured" -ForegroundColor Gray Write-Host "`nRecommended SSPR settings:" -ForegroundColor Cyan Write-Host " • Enable for: All users" -ForegroundColor Gray Write-Host " • Methods required: 2" -ForegroundColor Gray Write-Host " • Methods available: Mobile app, Email, Mobile phone" -ForegroundColor Gray Write-Host " • Registration: Required" -ForegroundColor Gray Write-Host " • Re-registration: Every 180 days" -ForegroundColor Gray Write-Host "`n⚠️ Manual verification required" -ForegroundColor Yellow exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } function Invoke-Remediation { try { Write-Host "⚠️ SSPR must be configured via Azure Portal" -ForegroundColor Yellow Write-Host "`nSteps to enable SSPR:" -ForegroundColor Cyan Write-Host " 1. Azure Portal > Azure Active Directory > Password reset" -ForegroundColor Gray Write-Host " 2. Click 'All' to enable for all users" -ForegroundColor Gray Write-Host " 3. Set authentication methods:" -ForegroundColor Gray Write-Host " - Number of methods required: 2" -ForegroundColor Gray Write-Host " - Enable: Mobile app notification, Mobile app code, " -ForegroundColor Gray Write-Host " Email, Mobile phone, Office phone" -ForegroundColor Gray Write-Host " 4. Enable 'Registration' > 'Require users to register'" -ForegroundColor Gray Write-Host " 5. Set registration re-confirm: 180 days" -ForegroundColor Gray Write-Host " 6. Enable 'Notifications' > Notify users and admins" -ForegroundColor Gray Write-Host " 7. Click 'Save'" -ForegroundColor Gray Write-Host "`n📝 PowerShell automation not available for SSPR" -ForegroundColor Yellow Write-Host "This is an Azure AD Premium P1/P2 feature" -ForegroundColor Cyan exit 0 } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } " throw } } try { if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { Invoke-Remediation } else { Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan }

Risico zonder implementatie

Risico zonder implementatie
Low: Low - Helpdesk overhead, user downtime. SSPR reduces costs + improves UX.

Management Samenvatting

Schakel in SSPR voor alle users. 2 methods vereist. Reduces helpdesk costs 50-70%. vereist Azure AD P1. Voldoet aan CIS 1.3.4 L2. Setup: 4u.