Default Authorization Settings - Enabled Self service password reset for administrators
Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). The policy applies to some critical critical roles in Microsoft Entra ID.
| Name | allowedToUseSSPR |
| Control | Default Authorization Settings |
| Description | Manages authorization settings in Azure AD |
| Severity | Informational |
How to fix
Details of configuration item
| Recommendation | Administrators with sensitive roles should use phishing-resistant authentication methods only and therefore not able to reset their password using SSPR. |
| Configuration | policies/authorizationPolicy |
| Setting | allowedToUseSSPR |
| Recommended Value | 'false' |
| Default Value | true |
| Graph API Docs | authorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn |
| Graph Explorer | Open in Graph Explorer |
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0006 - Credential Access - Credential Access |