Frequently asked questions about the partner security requirements

Applies to

  • Partner Center

Appropriate users

  • All enabled users including guest users

Partner security requirements

This article contains some frequently asked questions for the partner security requirements.

What are the partner security requirements and why should partners implement?

Greater and ongoing security and privacy safeguards are among our top priorities and we continue to help partners protect their customers and tenants. We continue to see more sophisticated, increasing number of security attacks, primarily related to identity compromise incidents. As preventive controls play a key role in an overall defense strategy to thwart security attacks, we introduced mandatory security requirements in 2019. All partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisors should implement the requirements to stay compliant.

What are the key timelines and milestones?

The terms associated with these security requirements, including timelines and milestones, are included with the Microsoft Partner Agreement in 2019. You will need to implement these security requirements as soon as possible to stay compliant with your participation in the CSP program.

What will happen if I don't implement these partner security requirements?

The Microsoft Partner Agreement requires that you enforce multi-factor authentication for user accounts, and adopt the secure application model for interacting with the Partner Center API.

Partners who don't abide by these security practices may lose their ability to transact in the CSP program or manage customer tenants using delegate admin rights.

Do the security requirements apply to all geographies?

Yes, the security requirements apply to all geographies. We strongly recommend that all partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) act and adopt these new security requirements immediately. However, these partners aren't required to meet the new security requirements effective August 1. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.

Is it possible to get an exclusion for an account?

No, it is not possible to exclude any user account from the requirement of having MFA enforced. Given the highly privileged nature of being a partner, the Microsoft Partner Agreement requires that multi-factor authentication is enforced for each user account in your partner tenant.

How do I know if I have met the partner security requirements?

You need to complete the following steps:

  • You need to meet all requirements outlined in the partner security requirements.
  • You need to ensure all user accounts in your partner tenant have multi-factor authentication enforced.

To help identify the key areas where you can take actions, we are providing the security requirements status report that is available through Partner Center.

See partner security requirements status for more information on the status report.

Required Actions

What are the key actions I need to take to meet the requirements?

All partners in the CSP program (direct bill, indirect provider, and indirect reseller), Advisors, and Control Panel Vendors must meet the requirements.

  1. Enforce MFA for all users

    All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.

    Additional considerations:

    • Indirect providers need to work with indirect resellers to onboard to Partner Center if they have not done so already and encourage their resellers to meet the requirements.
    • Azure MFA is being made available to all users in the partner tenant at no cost through Azure AD security defaults with the only verification method of an authenticator application that supports time-based one time passwords (TOTP).
    • Additional verification methods are available through the Azure Active Directory Premium SKUs, if other methods such as a phone call or text message are required.
    • Partners can also leverage a third-party MFA solution for each account when accessing Microsoft commercial cloud services.
  2. Adopt the Secure Application Model framework

    All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

    Consult with the vendor if you're using a control panel regarding the adoption of the Secure Application Model framework.

    Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)?

MFA is a security mechanism though which individuals are authenticated through more than one required security and validation procedure. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

What is the cost of enabling MFA?

Microsoft provides MFA at no cost through the implementation of Azure AD security defaults. The only verification option available through this version of MFA is an authenticator application. If a phone call or SMS message is required, then an Azure Active Directory Premium license will need to be purchased. Alternatively, you can utilize a third-party solution to provide MFA for each user in your partner tenant - in this case, it is your responsibility to ensure your MFA solution is being enforced and that you're compliant.

What actions do I need to take if I already have an MFA solution?

Through these security requirements users in a partner tenant will be required to authenticate using MFA when accessing Microsoft commercial cloud services. Third-party solutions can be used to fulfill these requirements. Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. To test your product for interoperability, refer to these guidelines.

Important

When you're using a third-party solution, it is important to verify that the solution is issuing the authentication method reference (AMR) claim that includes the MFA value. See Testing the Partner Security Requirements for details on how validating your third-party solution is issuing the expected claim.

I use multiple partner tenants to transact. Do I need to implement MFA on them all?

Yes, you'll need to enforce MFA for each Azure Active Directory tenant associated with the CSP program or the Advisor program. To purchase an Azure Active Directory Premium license, you must purchase an Azure Active Directory license for the users in each Azure Active Directory tenant.

Does each user account in my partner tenant need to have MFA enforced?

Yes, each user will need to have MFA enforced. However, if you're using Azure AD security defaults, then there is no additional action required because that feature enforces MFA for all user accounts. Enabling security defaults is a free and easy way to ensure your user accounts are MFA-compliant and not impacted when MFA is enforced.

I am a direct bill partner with Microsoft. What do I need to do?

Direct bill Cloud Solution Provider partners must enforce MFA for each user in their partner tenant.

I am an indirect reseller and only transact though a distributor. Do I still have to do enable MFA?

All indirect resellers are required to enforce MFA for each user in their partner tenant. The indirect reseller must enable MFA.

I don't use the Partner Center API. Do I still need to implement MFA?

Yes, this security requirement is for all users including partner admin users and end users in a partner tenant.

Which third-party vendors provide MFA solutions compatible with Azure Active Directory?

When reviewing MFA vendors and solutions, partners must ensure the solution they choose is compatible with Azure Active Directory.

Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. If you would like to test your product for interoperability, refer to these guidelines.

For more information, see the Azure AD federation compatibility list.

How can I test MFA in our integration sandbox?

The Azure AD security defaults feature should be enabled or alternatively you can leverage third-party solution that utilizes federation.

Will enabling MFA affect how I interact with my customer's tenant?

No. The fulfillment of these security requirements will not impact how you manage your customers. Your ability to perform delegated administrative operations will not be interrupted.

Are my customers subject to the partner security requirements?

No, it is not required that you enforce MFA for each user in your customer's Azure AD tenants. However, it is recommended that you work with each customer to determine how best to protect their users.

Can any user be excluded from the MFA requirement?

No, each user, including service accounts, in your partner tenant will be required to authenticate using MFA.

Do the partner security requirements apply to the integration sandbox?

Yes, the partner security requirements apply to the integration sandbox. This means you'll need to implement the appropriate MFA solution for users in the integration sandbox tenant. It is recommended that you implement of Azure AD security defaults to provide MFA.

How do I configure an emergency access (break glass) account?

It is considered a best practice to create one or two emergency access accounts to prevent being inadvertently locked out of your Azure AD tenant. With respect to the partner security requirements, it is required that each user authenticates using MFA. This requirement means you'll need to modify the definition of an emergency access account. It could be an account that is leveraging a third-party solution for MFA.

Is Active Directory Federation Service (ADFS) required if I am using a third-party solution?

No, it is not required to have Active Directory Federation Service (ADFS) if you're using a third-party solution. It is recommended that you work with the vendor of the solution determine what the requirements for their solution are.

Is it a requirement to enable Azure AD security defaults?

No, it is not required that you enable Azure AD security defaults.

Can conditional access be used to meet the MFA requirement?

Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you won't be able to leverage the feature of conditional access that circumvents the requirement for MFA.

Will the service account used by Azure AD Connect be impacted by the partner security requirements?

No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

Secure Application Model

Who should adopt the secure application model to meet the requirements?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information. All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services.

What is the Secure Application Model?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information.

How do I implement the Secure Application Model?

All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

If you're using a control panel, then you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Does the Secure Application Model need to be implemented for the Partner Center API/SDK only?

By enforcing multi-factor authentication for all user accounts, any automation or integration that is intended to run non-interactively will be impacted. While the partner security requirements require you to enable the secure application model for the Partner Center API, it can be leveraged to address the need for a second factor of authentication with automation and integration.

Note

Resources being accessed will need to support access token-based authentication.

I am using automation tools such as PowerShell. How do I implement the Secure Application Model?

You will need to implement the Secure Application Model if your automation is intended to be run non-interactively and relies on user credentials for authentication. See Secure Application Model | Partner Center PowerShell for guidance on how to implement this framework.

Note

Not all automation tools provide the ability to authenticate using access tokens. Post a message on the Partner Center Security Guidance group if you need help understanding what changes need to be made.

It is recommended that you use a service account that has been assigned the least privileged permissions. With respect to the Partner Center API, you should use an account that has either been assigned to the Sales Agent or Admin Agents role.

It is a best practice to use least-privileged identity. This will reduce risk. It is not recommended to use an account that has global admin privileges because that would be providing more permissions than what is required.

I am a CSP partner. How do I know if my Control Panel Vendor (CPV) is working on implementing the solution or not?

For partners using a Control Panel Vendor (CPV) solution to transact in the Cloud Solution Provider (CSP) program, it is your responsibility to consult with your CPV.

Who is a Control Panel Vendor (CPV)?

A Control Panel vendor is an independent software vendor that develops apps for use by CSP Partners to integrate with Partner Center APIs. A Control Panel vendor is not a CSP Partner with direct access to the Partner Center dashboard or APIs. A detailed description is available within the Partner Center: Secure Applications Model guide.

I am a CPV. How do I enroll?

To enroll as a control panel vendor (CPV), follow the guidelines provided here.

CPVs must contact CPVHelp@microsoft.com to receive the enrollment link and provide a Microsoft employee sponsor who has a business relationship with the CPV or knows their business. For example, a Partner Development Manager (PDM).

Once you enroll in Partner Center and register your applications, you'll have access to Partner Center APIs. You will receive your sandbox information via a Partner Center notification if you're a new CPV. Once you have completed enrollment as a Microsoft CPV and accepted the CPV agreement, you can:

  1. Manage multi-tenant application (add applications to Azure portal, register and unregister applications in Partner Center).

    Note

    CPVs must register their applications in Partner Center to get authorized for Partner Center APIs. Adding applications to the Azure portal alone does not authorize CPV applications for Partner Center APIs.

  2. View and manage your CPV profile.

  3. View and manage your users who need access to CPV capabilities. A CPV can only have the role Global Admin.

I am using the Partner Center SDK. Will SDK automatically adopt the Secure Application Model?

No, you'll need to follow the guidelines provided in the Secure Application Model guide.

Can I generate a refresh token for the secure application model with accounts that don't have MFA enabled?

Yes, a refresh token can be generated using an account that does not have MFA enforced. However, this should be avoided. Any token generated using an account that does not have MFA enabled will not be able to access resources due to the requirement for MFA.

How should my application obtain an access token if we enable MFA?

You will need to follow the Secure Application Model guide that provides detail on how to do so whilst complying with the new security requirements. You can find .NET sample code here and Java sample code here.

As a CPV, do I create an Azure AD application in our CPV tenant or the tenant of the CSP partner?

The CPV will need to create the Azure Active Directory application in the tenant associated with their enrollment as a CPV.

I am a CSP that is using app only authentication. Do I need to make any changes?

App only authentication is not impacted as user credentials aren't being used to request an access token. If user credentials are being shared, then control panel vendors (CPVs) must adopt the Secure Application Model framework and purge any existing partner credentials they have.

As a CPV can I leverage the app only authentication style to get access tokens?

No, Control Panel Vendor partners cannot utilize the app only authentication style to request access tokens on the behalf of partner. They should implement the secure application model, which utilizes the app + user authentication style.

Technical Enforcement

What is the activation of security safeguards?

All partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors (CPVs), and Advisors should implement the mandatory security requirements to stay compliant.

To provide additional protection, Microsoft began the activation of security safeguards that helps partners secure their tenants and their customers by mandating multi-factor authentication (MFA) verification to prevent unauthorized access.

We successfully completed the activation for admin-on-behalf-of (AOBO) capabilities to all partner tenants. To further help protect partners and customers, targeting Q2 CY2020, we will begin the activation for Partner Center transactions in CSP, helping partners protect their businesses and customers from identity-theft related incidents.

For more information, visit Mandating Multi-factor Authentication (MFA) for your partner tenant page.

I am using a third-party MFA solution and I am being blocked, what should I do?

To validate that the account accessing resources was challenged for multi-factor authentication, we will be checking the authentication method reference claim to see if MFA is listed. Some third-party solutions don't issue this claim or don't include the MFA value. If the claim is missing, or the MFA value is not listed, then there is no way to determine if the authenticated account was challenged for multi-factor authentication. You will need to work with the vendor for your third-party solution to determine what actions need to be taken so the solution will issue the authentication method reference claim.

See Testing the Partner Security Requirements if you're unsure if your third-party solution is issuing the expected claim or not.

MFA is blocking me from supporting my customer using AOBO, what should I do?

The technical enforcement for the partner security requirements will be checked if the authenticated account has been challenged for multi-factor authentication. If the account has not been, then you'll be redirected to the sign in page and prompted to authenticate again. Read additional experience and guidance in this Mandating Multi-factor Authentication (MFA) for your partner tenant documentation. In the scenario where your domain is not federated, after successfully authenticating, you'll be prompted to set up multi-factor authentication. Once that is completed, you'll be able to manage your customers using AOBO. In the scenario where your domain is federated, then you'll need to ensure the account is being challenged for multi-factor authentication.

Security Defaults Transition

How can I transition from baseline policies to security defaults or other MFA solutions?

Azure Active Directory (Azure AD) "baseline" policies are being removed and replaced with "security defaults", a more comprehensive set of protection policies for you and your customers. Security defaults can help protect your organization from identity-theft related security attacks.

Your multi-factor authentication (MFA) implementation will be removed due to the baseline policies retirement if you haven't transitioned from baseline policies to the security defaults policy or other MFA implementation options. Any users in your partner tenants performing MFA protected operations will be requested to complete MFA verification. Review more detailed guidance here. To stay compliant and minimize disruptions, take one of the following actions:

  • Transition to security defaults
    • Security defaults policy is one of the options that partners can choose to implement MFA. It offers a basic level of security enabled at no extra cost.
    • Learn how to enable MFA for your organization with Azure AD and review the security defaults key considerations.
    • Enable security defaults policy if it meets your business needs.
  • Transition to Conditional Access
    • If security defaults policy does not serve your needs, enable Conditional Access. For more information, review the Azure AD Conditional Access documentation.

Key Resources

How to get started

Resources for adopting secure application model

Support

Where can I get support?

For support resources to meet the security requirements, if you have Advanced Support for Partners (ASfP) contact your Service Account Manager; for Premier Support for Partners agreement (PSfP), contact your Service Account Manager and Technical Account Manager.

How do I get technical information and support to help me adopt secure application model framework?

Technical product support options for Azure Active Directory are available through your MPN benefits. Partners with access to an active ASfP or PSfP subscription can work with their associated account manager (SAM/TAM) to best understand the options available to them.

How do I contact support if I've lost access to Partner Center?

If you lose access due to an MFA issue, contact the global admin for your tenant. Your internal IT department will be able to tell you who your global admin is.

If you forgot your password, read Unable to sign in for help.

Where can I find more information about common technical issues?

Information regarding the common technical issues can be found in Partner security requirements for partners using Partner Center or Partner Center APIs