Partner security requirements status - get answers and check reports about current status

Applies to

  • All partners in the Cloud Solution Provider program
    • Direct bill
    • Indirect provider
    • Indirect reseller
  • All Control Panel Vendors
  • All Advisors

Appropriate users

  • All enabled users including guest users

Greater privacy safeguards and security are among our top priorities. We know that the best defense is prevention and that we are only as strong as our weakest link. That is why we need everyone in our ecosystem to act and ensure they have appropriate security protections in place. To help safeguard partners and customers, we're introducing a set of mandatory security requirements for Advisors, Control Panel Vendors, and partners participating in the Cloud Solution Provider program.

Starting August 1, 2019, all partners are required to enforce multi-factor authentication for all users, including service accounts, in their partner tenant. For more detailed information on the new security policies, read Partner Security Requirements.

We want to ensure that each user has an MFA challenge for every single authentication. This experience can be accomplished through one of the following ways:

  • Implementing Azure AD Premium to ensure that MFA is enforced for each user
  • Implementing the Azure AD security defaults
  • Implementing a third-party solution to ensure MFA is enforced for each user

Partner security requirements status

This report can help you verify the security requirements status by providing a way to see where you might be falling short. The tracking is regularly updated.

Note

The Partner security requirements status report is supported only in Partner Center. It's not available in the Microsoft Cloud for US Government or Microsoft Cloud Germany. We strongly recommend that all partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) adopt these new security requirements immediately. However, these partners are not required to meet the new security requirements effective August 1, 2019. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.

Multi-factor authentication ("MFA") report

The Partner Center MFA report offers insights into partner MFA implementation by providing two types of metrics based on MFA configuration and Partner Center activities of the CSP tenant:

MFA configuration on a CSP tenant

This metric is related to the MFA configuration on a CSP tenant that captured and reported on a daily basis. It measures the percentage of enabled user accounts with MFA enforced using any of those MFA options. For example:

  • Contoso is a CSP partner with 110 user accounts in the tenant, 10 of those user accounts are disabled.
  • Out of the rest of 100 user accounts, 90 are enforced MFA using the provided MFA options. Hence, the metric shows 90%.

Partner Center activities with MFA

Each time your employees sign in to Partner Center to work or, through APIs, get or send data through Partner Center, their security status is challenged and tracked. Also included in security-status tracking, are your applications and any control panel vendor applications. The status displayed is for the previous seven days.

MFA verification completed by users

This metric is related to activities within the Partner Center dashboard. It measures the percentage of operations made by users who have completed MFA verification. For example:

  • Contoso is a CSP partner with two admin agents, Jane and John.
  • On the first day, Jane logged in to Partner Center dashboard without MFA verification and made three operations.
  • On the second day, John logged in to Partner Center dashboard without MFA verification and made five operations.
  • On the third day, Jane logged in to Partner Center dashboard with MFA verification and made two operations.
  • There were no operations made by either agent on the remaining four days.
  • Out of the 10 operations made in the 7-day window, two were made by user with MFA verification. Hence, the metric shows 20%.

Use the file Portal requests without MFA to understand which user logged in to Partner Center dashboard without having MFA verification, and time of last visit during the reporting window.

App+User authentication

This metric is related to the use of Partner Center API requests made using App+User authentication. It measures the percentage of API requests made using an access token with MFA claim. For example:

  • Fabrikam is a CSP partner and has a CSP application that uses a mix of App+User authentication and app-only authentication methods.
  • On the first day, the application made three API requests, which were backed by an access token obtained through App+User authentication method without MFA verification.
  • On the second day, the application made five API requests, which were backed by an access token obtained using App-only authentication.
  • On the third day, the application made two API requests, which were backed by an access token obtained using App+User authentication method with MFA verification.
  • There were no operations made by either agent on the remaining four days.
  • The five API requests on the second day, which were backed by an access token obtained through App-only authentication are omitted from the metric since it does not make use of user credentials. Out of the remaining five operations, two of them were backed by an access token obtained with MFA verification. Hence, the metric shows 40%.

If you want to understand which App+user activities results in the non 100% on this metric, use files:

  • API requests summary to understand the overall MFA status by application.
  • All API requests to understand the detail of each API requests made by users of your tenant, the result is limited to maximum 10,000 most recent requests for better downloading experience.

What should I do if the metrics under MFA report aren't 100%

It is possible that the metrics under Partner Center MFA report may not be 100% for partners who have implemented MFA. To understand why, here are some factors to consider.

Note

You will need to work with somebody from your organization who is familiar with identity management and MFA implementation for your partner tenant.

Have you implemented MFA for your partner tenant?

If not, you need to implement MFA for your partner tenant first. For details on how to implement MFA, refer to article Partner Security Requirement.

Have you only recently completed MFA implementation?

The metrics are calculated on a daily basis and take into account operations performed in the last seven days. If you only recently completed MFA implementation for your partner tenant, the metrics may not be 100%.

Have some user accounts been excluded from MFA implementation?

Understand whether your current MFA implementation covers all user accounts or only some. Some MFA solutions are policy-based and support user exclusion, while others might require you to explicitly enable MFA on a per-user basis. Verify you have not excluded any user from your current MFA implementation. Any user account that is excluded and logs in to Partner Center to perform any CSP-related activity can cause the metrics to not be 100%.

Is MFA only required when certain conditions are met?

Understand whether your current implementation only enforces MFA under specific conditions only. Some MFA solutions provide flexibility to only enforce MFA when certain conditions are met. For example, user is accessing from unknown device or unknown location. A user, who is enabled for MFA but isn't required to complete MFA verification when accessing Partner Center, can cause the metrics to not be 100%.

Note

For partners who have implemented MFA using Azure AD security defaults, it is important to note that for non-admin user accounts multi-factor authentication will be enforced based on risk. Users will be prompted for MFA only during risky sign-in attempts (for example, user is signing in from a different location). In addition, users will have up to 14 days to register for MFA. Users who have not complete MFA registration will not be challenged for MFA verification during the 14-day period. Therefore, it is expected that the metrics may not be 100% for partners who have implemented MFA using Azure AD security defaults.

Are you using third-party MFA solution?

If you are using third-party MFA solution, identify how you are integrating it with Azure AD. In general, there are two methods, including federation and custom controls:

  • Identity federation - When Azure AD receives an authentication request, Azure AD will redirect the user to the federated identity provider for authentication. Upon successful authentication, the federated identity provider will redirect the user back to Azure AD along with a SAML token. In order for Azure AD to recognize that the user has completed MFA verification when authenticating to the federated identity provider, the SAML token must include the authenticationmethodsreferences claim (with value multipleauthn). Check whether that the federated identity provider supports issuing such a claim. If so, check whether the federated identity provider has been configured to do so. If the claim is missing, Azure AD (and therefore Partner Center) will not know that the user has completed MFA verification and missing the claim can cause the metric to not be 100%.

  • Custom Control - Azure AD Custom Control cannot be used to identify whether a user has completed MFA verification through a third-party MFA solution. As a result, any user who has completed MFA verification through a custom control will always appear to Azure AD (and in turn Partner Center) as not having completed MFA verification. Where possible, it is recommended that you switch to using Identity Federation as opposed to Custom Control when integrating with Azure AD.

Identify which users have logged into Partner Center without MFA

It may be helpful to identify which users are logging in to Partner Center without MFA verification and verify them against your current MFA implementation. You can use Azure AD sign-in report to find out whether a user has completed MFA verification or not. Azure AD sign-in report is currently only available to partners who have subscribed to Azure AD Premium or any O365 SKU, which includes Azure AD Premium (for example, EMS).

Next steps