Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a reset or MFA change is abused in Active Directory?

Accountability sits with both identity governance and the support process owner, because password resets and MFA changes are access decisions, not clerical tasks. The organisation needs clear approval logic, assurance checks, and escalation thresholds so that identity recovery cannot be turned into a social-engineering pivot.

Why This Matters for Security Teams

When a password reset or MFA change is abused in active directory, the issue is not just user support hygiene. It is an identity governance failure that can hand an attacker a clean path into the directory, especially when recovery steps are treated as low-risk exceptions. NIST SP 800-53 Rev 5 Security and Privacy Controls makes clear that access control, authentication, and privileged actions require explicit oversight, and NHIMG research shows why this matters in real environments: only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges.

That combination matters because reset workflows often sit at the boundary between human trust and machine access. If the same support queue can trigger account recovery, MFA re-enrolment, and directory privilege restoration without strong approval logic, an attacker only needs one weak verification step to convert social engineering into durable access. The Cisco Active Directory credentials breach and the Microsoft Midnight Blizzard breach both underline how identity abuse becomes systemic when recovery paths are over-trusted.

In practice, many security teams encounter abuse only after an attacker has already used the reset path to regain persistence, rather than through intentional detection of the workflow itself.

How It Works in Practice

Accountability should be assigned to the parties that define and operate the control, not just the person who executed the ticket. In most enterprises, that means identity governance owns the policy, while the support process owner owns the operational workflow, evidence checks, and escalation handling. The practical question is whether the organisation can prove that a reset or MFA change was authorised, verified, and recorded in a way that stands up to audit and incident review.

Good practice is to treat password resets, MFA device replacement, and MFA factor removal as security-sensitive events. That means requiring stronger verification for higher-risk accounts, separating approval authority from execution, and logging who approved, who performed, what evidence was used, and what downstream access changed. NIST guidance supports this kind of control separation, and the same principle appears in identity abuse reporting across NHIMG research such as the Cisco Active Directory credentials breach.

  • Define a named business owner for recovery policy and a named technical owner for the tool or help desk workflow.
  • Require step-up verification for privileged users, remote requests, and requests that change MFA enrollment.
  • Use approval thresholds for exceptions, especially when a reset would restore access to admin groups, PAM, or service-linked accounts.
  • Record immutable evidence: ticket ID, verifier, approver, channel, timestamp, and post-change validation.
  • Review reset and MFA-change activity for anomaly patterns, including repeat requests, urgent language, and location mismatch.

Current guidance suggests that recovery should be linked to zero trust and least privilege principles, with NIST SP 800-53 Rev 5 Security and Privacy Controls used as the baseline for control mapping and NIST SP 800-53 Rev 5 Security and Privacy Controls applied to the approval and authentication workflow. These controls tend to break down when the help desk can override MFA without a separate security review because the attacker only needs one convincing conversation to bypass the rest of the process.

Common Variations and Edge Cases

Tighter recovery controls often increase support friction, requiring organisations to balance user restoration speed against the risk of takeover. That tradeoff becomes sharper for executives, privileged administrators, break-glass accounts, and legacy AD environments where MFA rollback was designed before current phishing and vishing tactics matured.

There is no universal standard for exactly how much verification is enough, so the control should scale by account sensitivity and recovery scenario. For low-risk users, a strong but streamlined workflow may be acceptable. For privileged identities, support staff should not be allowed to complete a reset alone, and removal of MFA should trigger immediate review by identity governance or the security team.

One common edge case is when the user has lost both primary and secondary factors. In that situation, organisations need documented exception handling, because ad hoc recovery often creates the very abuse path attackers want. Another edge case is managed service or shared administrative access, where one reset can affect multiple dependent systems. NHIMG’s broader guidance on identity risk, including the Microsoft Midnight Blizzard breach, shows how quickly recovery mistakes can become persistence mechanisms. For high-value accounts, best practice is evolving toward stricter separation of duties and stronger evidence requirements, not faster exceptions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Reset abuse often starts with weak identity lifecycle and recovery controls.
NIST CSF 2.0 PR.AA-1 Authentication assurance is central when recovery changes can unlock access.
NIST AI RMF GOVERN Accountability and oversight are governance issues, not help desk clerical tasks.
NIST Zero Trust (SP 800-207) Zero trust requires continuous verification even for recovery workflows.

Assign explicit ownership, evidence requirements, and escalation thresholds under the GOVERN function.