CSP security best practices

All partners in the Cloud Solution Provider (CSP) program accessing Partner Center and Partner Center APIs should follow the security guidance in this article to protect themselves and customers.

For customer security, see Customer security best practices.

Important

Azure Active Directory (Azure AD) Graph is deprecated as of June 30, 2023. Going forward, we're making no further investments in Azure AD Graph. Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.

We'll retire Azure AD Graph in incremental steps so that you have sufficient time to migrate your applications to Microsoft Graph APIs. At a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.

To learn more, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.

Highly recommended steps in your tenants

• Add a security contact for security-related issue notifications in the Partner Center tenant.
• Check your identity secure score in Microsoft Entra ID and take the appropriate actions to raise your score.
• Review and implement the guidance documented in Managing nonpayment, fraud, or misuse.
• Familiarize yourself with the NOBELIUM threat actor and related materials:
  • NOBELIUM targeting delegated administrative privileges to facilitate broader attacks
  • NOBELIUM response training
  • Securing the channel: Journey to zero trust

Identity best practices

Require multifactor authentication

• Ensure that all users in your Partner Center tenants and your customer tenants are registered for and require multifactor authentication (MFA). There are various ways to configure MFA. Choose the method that applies to the tenant you're configuring:
  • My Partner Center/Customer's tenant has Microsoft Entra ID P1
    • Use Conditional Access to enforce MFA.
  • My Partner Center/Customer's tenant has Microsoft Entra ID P2
    • Use Conditional Access to enforce MFA.
    • Implement risk-based policies using Microsoft Entra ID Protection.
    • For your Partner Center tenant, you might qualify for Microsoft 365 E3 or E5, depending on your Internal Use Rights (IUR) benefits. These SKUs include Microsoft Entra ID P1 or 2, respectively.
    • For your customer's tenant, we recommend enabling security defaults.
      • If your customer is using apps that require legacy authentication, those apps won't function after you enable security defaults. If the app can't be replaced, removed, or updated to use modern authentication, you can enforce MFA through per-user MFA.
      • You can monitor and enforce your customer's use of security defaults using the following Graph API call:
        • identitySecurityDefaultsEnforcementPolicy resource type - Microsoft Graph v1.0 | Microsoft Learn
• Ensure that the MFA method used is phishing-resistant. You can do so by using passwordless authentication or number matching.
• If a customer refuses to use MFA, don't provide them either any administrator role access to Microsoft Entra ID, or write permissions to Azure Subscriptions.

App access

• Adopt the Secure Application Model framework. All partners integrating with Partner Center APIs must adopt the Secure Application Model framework for any app and user auth model applications.
• Disable user consent in Partner Center Microsoft Entra tenants or use the admin consent workflow.

Least privilege / No standing access

• Users who have Microsoft Entra administrative roles such as Global admin or Security admin shouldn't regularly use those accounts for email and collaboration. Create a separate user account with no Microsoft Entra administrative roles for collaboration tasks.
• Review the Admin agent group and remove people who don't need access.
• Regularly review administrative role access in Microsoft Entra ID, and limit access to as few accounts as possible. For more information, see Microsoft Entra built-in roles.
• Users who leave the company or change roles within the company should be removed from Partner Center access.
• If you have Microsoft Entra ID P2, use Privileged Identity Management (PIM) to enforce just-in-time (JIT) access. Use dual custody to review and approve access for Microsoft Entra administrator roles and Partner Center roles.
• For securing privileged roles, see Securing privileged access overview.
• Regularly review access to customer environments.
  • Remove inactive Delegated Administration Privileges (DAP).
  • GDAP frequently asked questions.
  • Ensure that GDAP relationships are utilizing roles with the least privileges needed.

Identity isolation

• Avoid hosting your Partner Center instance in the same Microsoft Entra tenant that hosts your internal IT services, such as email and collaboration tools.
• Use separate, dedicated user accounts for Partner Center privileged users who have customer access.
• Avoid creating user accounts in customer Microsoft Entra tenants intended to be used by partners to administer the customer tenant and related apps and services.

Devices best practices

• Only allow Partner Center and customer tenant access from registered, healthy workstations that have managed security baselines and are monitored for security risks.
• For Partner Center users with privileged access to customer environments, consider requiring dedicated workstations (virtual or physical) for those users to access customer environments. For more information, see Securing privileged access.

Monitoring best practices

Partner Center APIs

• All Control Panel vendors should Enable the secure application model and turn on logging for every user activity.
• Control Panel vendors should enable auditing of every partner agent logging into the application and all actions taken.

Sign-in monitoring and auditing

• Partners with a Microsoft Entra ID P2 license automatically qualify to keep audit and sign-in log data up to 30 days.

  Confirm that:

  • Audit logging is in place where delegated administrator accounts are used.
  • Logs are capturing the maximum level of details provided by the service.
  • Logs are retained for an acceptable period (up to 30 days) that allows for detection of anomalous activity.

  Detailed audit logging might require purchasing more services. For more information, see How long does Microsoft Entra ID store reporting data?

• Regularly review and verify password recovery email addresses and phone numbers within Microsoft Entra ID for all users with the Global admin roles, and update if necessary.

  • If a customer’s tenant is compromised: the CSP Direct Bill Partner, the Indirect Provider, or your Indirect Reseller can't contact support requesting an Administrator password change in the customer’s tenant. The Customer must call Microsoft support by following the instructions in the topic Reset my admin password. The Reset my admin password topic has link that customers can use to call Microsoft Support. Instruct the Customer to mention that the CSP no longer has access to their tenant to assist with resetting the password. The CSP should consider suspending the customer's subscriptions until access is regained and the offending parties are removed.

• Implement audit logging best practices and perform routine review of activity performed by delegated administrator accounts.

  • What are Microsoft Entra reports?
  • Analyze activity logs using Azure Monitor logs
  • Microsoft Entra audit activity reference

• Partners should review the risky users report within their environment and address the accounts that are detected to present risk according to published guidance.

  • Remediate risks and unblock users
  • User experiences with Microsoft Entra ID Protection

Related materials

• For best practices for managing service principals, see Securing service principals in Microsoft Entra ID.
• Partner security requirements
• Guiding principles of Zero Trust
• Customer security best practices