Skip to main content

Default Authorization Settings - Enabled Self service password reset for administrators

Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). The policy applies to some critical critical roles in Microsoft Entra ID.

NameallowedToUseSSPR
ControlDefault Authorization Settings
DescriptionManages authorization settings in Azure AD
SeverityInformational

How to fix

Details of configuration item

RecommendationAdministrators with sensitive roles should use phishing-resistant authentication methods only and therefore not able to reset their password using SSPR.
Configurationpolicies/authorizationPolicy
SettingallowedToUseSSPR
Recommended Value'false'
Default Valuetrue
Graph API DocsauthorizationPolicy resource type - Microsoft Graph v1.0 - Microsoft Learn
Graph ExplorerOpen in Graph Explorer

MITRE ATT&CK

TacticTechniqueMitigation
TA0006 - Credential Access - Credential Access