Security requirements status report
Appropriate roles: CPV admin | Global admin
This article explains the security requirements status report in Partner Center. This report gives metrics on compliance with partner security requirements for multi-factor authentication (MFA) for users in your partner tenant.
To access this report in Partner Center, select the Settings gear icon, then Account settings, then Security requirements status. The report is updated daily and reflects sign-in data from the last seven days.
The security requirements status report is supported only in Partner Center. It's not available in the Microsoft Cloud for US Government or Microsoft Cloud Germany. We strongly recommend that all partners transacting through a sovereign cloud (US Government and Germany) adopt these new security requirements immediately. However, these partners are currently not required to meet the new security requirements. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.
Security status metrics
The security requirements status report offers insights into partner MFA implementation, and provides metrics on MFA configuration and Partner Center activities on partner tenants. The following sections explain these metrics in more detail.
MFA configuration on a partner tenant
The metric Percentage of enabled user accounts with MFA enforced using options listed here: shows the percentage of enabled user accounts on your partner tenant that have MFA enforced. You can use one of these MFA options to achieve compliance. This data is captured and reported on a daily basis. For example:
- Contoso is a CSP partner with 110 user accounts in the tenant, 10 of those user accounts are disabled.
- Out of the rest of 100 user accounts, 90 are enforced MFA using the provided MFA options. Hence, the metric shows 90%.
Partner Center requests with MFA
Each time your employees sign in to Partner Center to work or, through APIs, get or send data through Partner Center, their security status is challenged and tracked. Also included in security-status tracking are your applications and any control panel vendor applications. This data is shown in metrics under Percentage of requests to Partner Center with MFA, and reflects the past seven days.
Dashboard MFA verification
The metric Through Partner Center portal is related to activities within the Partner Center dashboard. It measures the percentage of operations made by users who have completed MFA verification. For example:
- Contoso is a CSP partner with two admin agents, Jane and John.
- On the first day, Jane logged in to Partner Center dashboard without MFA verification and made three operations.
- On the second day, John logged in to Partner Center dashboard without MFA verification and made five operations.
- On the third day, Jane logged in to Partner Center dashboard with MFA verification and made two operations.
- There were no operations made by either agent on the remaining four days.
- Out of the 10 operations made in the seven-day window, two were made by user with MFA verification. Hence, the metric shows 20%.
Use the file Portal requests without MFA to understand which user logged in to Partner Center dashboard without having MFA verification, and time of last visit during the reporting window.
App+User MFA verification
The metric Through API or SDK is related to App+User authentication through Partner Center API requests. It measures the percentage of API requests made using an access token with MFA claim. For example:
- Fabrikam is a CSP partner and has a CSP application that uses a mix of App+User authentication and app-only authentication methods.
- On the first day, the application made three API requests, which were backed by an access token obtained through App+User authentication method without MFA verification.
- On the second day, the application made five API requests, which were backed by an access token obtained using App-only authentication.
- On the third day, the application made two API requests, which were backed by an access token obtained using App+User authentication method with MFA verification.
- There were no operations made by either agent on the remaining four days.
- The five API requests on the second day, which were backed by an access token obtained through App-only authentication are omitted from the metric since it does not make use of user credentials. Out of the remaining five operations, two of them were backed by an access token obtained with MFA verification. Hence, the metric shows 40%.
If you want to understand which App+user activities results in the non 100% on this metric, use files:
- API requests summary to understand the overall MFA status by application.
- All API requests to understand the detail of each API requests made by users of your tenant, the result is limited to maximum 10,000 most recent requests for better downloading experience.
Actions for MFA status below 100%
Some partners who have implemented MFA might see report metrics below 100%. To understand why, here are some factors to consider.
You will need to work with somebody from your organization who is familiar with identity management and MFA implementation for your partner tenant.
Implemented MFA for your partner tenant
You must implement MFA for your partner tenant to reach compliance. For details on how to implement MFA, see Security requirements for using Partner Center or Partner Center APIs.
MFA metrics are calculated on a daily basis and take into account operations performed in the last seven days. If you only recently completed MFA implementation for your partner tenant, the metrics may not yet show 100%.
Verify MFA on all user accounts
Understand whether your current MFA implementation covers all user accounts or only some. Some MFA solutions are policy-based and support user exclusion, while others might require you to explicitly enable MFA on a per-user basis. Verify you have not excluded any user from your current MFA implementation. Any user account that is excluded and logs in to Partner Center to perform any CSP-, CPV-, or Advisor-related activity can cause the metrics to not be 100%.
Review your MFA conditions
Understand whether your current implementation only enforces MFA under specific conditions only. Some MFA solutions provide flexibility to only enforce MFA when certain conditions are met. For example, user is accessing from unknown device or unknown location. A user, who is enabled for MFA but isn't required to complete MFA verification when accessing Partner Center, can cause the metrics to not be 100%.
For partners who have implemented MFA using Azure AD security defaults, it is important to note that for non-admin user accounts multi-factor authentication will be enforced based on risk. Users will be prompted for MFA only during risky sign-in attempts (for example, user is signing in from a different location). In addition, users will have up to 14 days to register for MFA. Users who have not complete MFA registration will not be challenged for MFA verification during the 14-day period. Therefore, it is expected that the metrics may not be 100% for partners who have implemented MFA using Azure AD security defaults.
Review third-party MFA configurations
If you are using third-party MFA solution, identify how you are integrating it with Azure AD. In general, there are two methods, including federation and custom controls:
Identity federation - When Azure AD receives an authentication request, Azure AD will redirect the user to the federated identity provider for authentication. Upon successful authentication, the federated identity provider will redirect the user back to Azure AD along with a SAML token. In order for Azure AD to recognize that the user has completed MFA verification when authenticating to the federated identity provider, the SAML token must include the authenticationmethodsreferences claim (with value multipleauthn). Check whether that the federated identity provider supports issuing such a claim. If so, check whether the federated identity provider has been configured to do so. If the claim is missing, Azure AD (and therefore Partner Center) will not know that the user has completed MFA verification and missing the claim can cause the metric to not be 100%.
Custom Control - Azure AD Custom Control cannot be used to identify whether a user has completed MFA verification through a third-party MFA solution. As a result, any user who has completed MFA verification through a custom control will always appear to Azure AD (and in turn Partner Center) as not having completed MFA verification. Where possible, it is recommended that you switch to using Identity Federation as opposed to Custom Control when integrating with Azure AD.
Identify which users have signed in to Partner Center without MFA
It may be helpful to identify which users are logging in to Partner Center without MFA verification and verify them against your current MFA implementation. You can use Azure AD sign-in report to find out whether a user has completed MFA verification or not. Azure AD sign-in report is currently only available to partners who have subscribed to Azure AD Premium or any O365 SKU, which includes Azure AD Premium (for example, EMS).