CSP Security best practices

Appropriate roles: Global Admin | Admin Agent | Helpdesk Agent

All partners in the Cloud Solution Provider (CSP) program accessing Partner Center and Partner Center APIs should follow the security guidance in this article to protect themselves and customers. Partners will need to implement this guidance immediately to mitigate security issues and help remediate security escalations.

• For Microsoft security best practices, refer to Microsoft Security Best Practices.

• Service principals are intended to be used by a service and can assign roles/permissions. Here are the best practices for managing service principals: Securing service principals in Azure Active Directory.

• Partners can now add a security contact, who will be informed when there is any security-related issue on the CSP tenant.

• Ensure multifactor authentication (MFA) is in use and conditional access policies are enforced: All Microsoft partners are required to use MFA to access Partner Center and for cross-tenant access to customer tenants in Microsoft commercial clouds. Partners are advised to check their security compliance in Partner Center and monitor if any user logins or API calls aren't compliant with MFA enforcement. Partners should always stay compliant. See Mandating multi-factor authentication (MFA) for your partner tenant.

• Set up your users with multi-factor authentication.

• Adopt the Secure Application Model framework: All partners integrating with Partner Center APIs must adopt the Secure Application Model framework for any app and user auth model applications.

• For securing privileged roles, Securing privileged access overview.

• Remove delegated administrative privileges (DAP) connection when not in use.

  • Customers to Remove DAP- Obtain a customer's admin privileges.
  • DAP monitoring and partners to remove inactive DAP connections

• Check the Partner Center Activity Logs: partners are advised to regularly check the “Activity Log” in Partner Center to monitor any user activities, including high privileged user creations, high privileged user role assignment, and so on. Partners can also use Partner Center Activity Log APIs to create a custom security dashboard on key user activities in Partner Center to proactively detect suspicious activities.

• Strengthening cybersecurity with Azure AD Premium Plan 2 for managed service providers (MSPs) with delegated access. We are offering service providers a free two year subscription of Azure Active Directory Premium Plan 2 to further help them manage and get reports on access privileges. Registered partners can sign in to Partner Center to take advantage of this offer. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features such as Azure AD Privileged Identity Management (PIM) and risk-based Conditional Access capabilities to strengthen security controls.

• Adopt a Zero Trust approach with passwordless sign-ins: Passwordless sign-in with the Microsoft Authenticator app. More information can be found at The passwordless future is here for your Microsoft account.

• Guiding principles of Zero Trust - Zero Trust Guidance Center.

• Use Privileged Identity Management (PIM) to enforce Just-in-time (JIT) access and dual custody to review and approve access: What is Privileged Identity Management?

• All Control Panel Vendors should Enable the secure application model and turn on logging for every user activity.

• Control Panel Vendors should enable auditing of every partner agent logging into the application and all actions taken.

• CSP vendors should regularly review the identity on their accounts and clean up unused ones as appropriate.

• Review Admin Agent group and remove people who don't need access.

• Periodically review user access and clean up if not required.

• Users who have left the company or changed roles within the company should be removed from Partner Center access.

• Partners with Azure Active Directory P2 license will automatically qualify to keep audit and sign-in logs data up to 30 days. Confirm audit logging is in place where delegated administrator accounts are used, that logs are capturing the maximum level of details provided by the service, and that logs are retained for an acceptable period (up to 30 days) that allows for detection of anomalous activity. Detailed audit logging may require purchasing more services. See How long does Azure AD store reporting data?

• Implement audit logging best practices and perform routine review of activity performed by delegated administrator accounts.

  • What are Azure Active Directory reports?
  • Azure AD audit activity reference

• Partners should review the risky users report within their environment and address the accounts that have been detected with risk according to published guidance

  • Remediate risks and unblock users
  • User experiences with Azure AD Identity Protection

For more information, see NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

Customer security best practices

If you're a downstream customer

• Customers should frequently review subscriptions and resources or services that may have been provisioned unexpectedly.

• Ensure customers are following password management policies and strong authentication with frequent password rotation.

• Have your customers use Passwordless sign-in with the Microsoft Authenticator app

• Review and verify all global admin users password recovery email and phone number within Azure AD and update if necessary.

• Review, audit, and minimize access privileges and delegated permissions. It's important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or haven't yet been audited.

• Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly review all tenant admin users, including those associated with Administer On Behalf Of (AOBO) in Azure subscriptions, and verify the authenticity of the users and activity. We strongly encourage the use of strong authentication for all tenant administrators, review of devices registered for use with MFA, and minimize the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts, and check audit logs regularly to verify that high-privilege user access isn't granted or delegated to admin users who don't require these privileges to do their job.

• Review service provider permissions access from B2B and local accounts: In addition to using delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well governed, and have least-privilege access in your tenant. Microsoft recommends against the use of “shared” administrator accounts. Review the detailed guidance on how to review permissions for B2B accounts.

• Verify that multifactor authentication (MFA) is enabled, and enforce conditional access policies. MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multi-factor authentication in Microsoft 365, and the guidance on deploying and configuring conditional access policies in Azure Active Directory (Azure AD).

• Review audit logs and configurations.

• Review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the Microsoft Purview compliance portal (formerly in the Exchange Admin Center). We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter Cross-tenant access type: Service provider on the User-sign ins (non-interactive) tab.

  

• Review Existing Log Availability and Retention Strategies: Investigating activities conducted by malicious actors places a large emphasis on having adequate log-retention procedures for cloud-based resources, including Office 365. Various subscription levels have individualized log availability and retention policies, which are important to understand before forming an incident response procedure.

We encourage all organizations to become familiar with logs made available within your subscription and to routinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work with them to understand their logging strategy for all administrative actions, and establish a process should logs need to be made available during an incident.