Security requirements for using Partner Center or Partner Center APIs
Appropriate roles: All Partner Center users
As an Advisor, Control Panel Vendor, or Cloud Solution Provider (CSP) partner, you have decisions to make regarding authentication options and other security considerations. Privacy safeguards and security for you and your customers are among our top priorities. We know that the best defense is prevention and that we're only as strong as our weakest link. That is why we need everyone in our ecosystem to ensure appropriate security protections are in place.
Mandatory security requirements
The CSP program allows customers to buy Microsoft products and services through partners. In accordance with their agreement with Microsoft, partners are required to manage the environment for and provide support to the customers they sell to. Customers who buy through this channel place their trust in you as the partner, since you have high-privilege admin access to the customer tenant.
Partners who don't implement the mandatory security requirements won't be able to transact in the CSP program or manage customer tenants using delegated admin rights. In addition, partners who don't implement the security requirements may put their participation in programs at risk. The terms associated with the partner security requirements have been added to the Microsoft Partner Agreement. The Microsoft Partner Agreement (MPA) will be updated on a periodic basis, and Microsoft recommends all partners check back regularly. As it relates to Advisors, the same contractual requirements will be in place.
All partners are required to adhere to security best practices so they can secure partner and customer environments. Adhering to these best practices will help mitigate security issues and remediate security escalations, ensuring the customer’s trust isn't compromised.
To protect you and your customers, we're requiring partners to take the following actions immediately: enable MFA for all user accounts and adopt the Secure Application Model framework.
Enable MFA for all user accounts in your partner tenant
You must enforce MFA on all user accounts in your partner tenants. Users must be challenged by MFA when they sign in to Microsoft commercial cloud services or when they transact in the Cloud Solution Provider program through Partner Center or via APIs. MFA enforcement follows these guidelines:
- Partners who use Microsoft-supported Azure AD Multi-Factor Authentication. For more information, see Multiple ways to enable Azure AD MFA (MFA supported)
- Partner who implemented any third-party MFA and part of the exception list can still access Partner Center portal and APIs with exceptions but can't manage customer using DAP/GDAP (no exception allowed)
- If the partner’s organization was previously granted an exception for MFA, users who manage customer tenants as part of the CSP program must have enabled Microsoft MFA requirements before March 1, 2022. Failure to comply with MFA requirements may result in the loss of customer tenant access.
- Learn more about mandating multi-factor authentication (MFA) for your partner tenant.
Note
Partners are now provided with free 24 months Azure AD Premium P2 license for each CSP tenant, and each tenant has up to 25 seats to redeem. Review Azure AD conditional access along with risk-based conditional access to quickly gain access to the promotion and set up Azure AD support MFA for strong authentication. Learn more about securing user sign-in events with Azure AD MFA.
Adopt the Secure Application Model framework
All partners integrating with Partner Center APIs must adopt the Secure Application Model framework for any app and user auth model applications.
Important
We strongly recommend that partners implement the Secure Application Model for integrating with a Microsoft API, such as Azure Resource Manager or Microsoft Graph, or when leveraging automation such as PowerShell using user credentials, to avoid any disruption when MFA is enforced.
These security requirements will help protect your infrastructure and safeguard your customers' data from potential security risks such as identify theft or other fraud incidents.
Additional security requirements
Customers trust you, as their partner, to provide value-added services. It's imperative that you take all security measures to protect the customer’s trust and, subsequently, your reputation as a partner. Microsoft continues to add enforcement measures so that all the partners are required to adhere to and prioritize the security of their customers. These security requirements help protect your infrastructure and safeguard your customers' data from potential security risks, such as identify theft or other fraud incidents.
The partner is responsible for ensuring they're adopting the principles of zero trust, specifically the following.
Delegated Admin Privileges (DAP)
Delegated admin privileges (DAP) provide the capability to manage a customer's service or subscription on their behalf. The customer must grant the partner administrative permissions for that service. Since the privileges provided to the partner to manage the customer are highly elevated, Microsoft recommends all partners to remove inactive DAPs. All partners managing the customer tenant using Delegated Admin Privileges should remove the inactive DAP from the Partner Center portal to prevent any impact on the customer tenant and their assets.
For more information, see the Monitoring administrative relationships and self-service DAP removal guide, the Delegated administration privileges FAQ, and the NOBELIUM targeting delegated administrative privileges guide.
Additionally, DAP will be deprecated soon, and we strongly encourage all partners who are actively using DAP to manage your customer tenants and move towards a least privilege Granular Delegated Admin Privileges model to securely manage your customers tenant.
Transition to least privilege roles to manage your customer tenants
Because DAP will be deprecated soon, Microsoft highly recommends moving away from the current DAP model, which gives admin agents standing or perpetual global admin access and replacing it with a fine-grained delegated access model. The fine-grained delegated access model reduces the security risk to customers and the impact on them. It also gives you control and flexibility to restrict access per customer at the workload level of your employees who are managing your customers' services and environments.
For more information, see the Granular delegated admin privileges (GDAP) overview, information on least-privileged roles, and the GDAP FAQ
Watch for Azure fraud notifications
As a partner in the CSP program, you're responsible for your customer's Azure consumption, so it's important that you're aware of any potential cryptocurrency mining activities in your customers' Azure subscriptions. This awareness enables you to take immediate action to determine whether the behavior is legitimate or fraudulent and, if necessary, suspend the affected Azure resources or Azure subscription to mitigate the issue.
For more information, see Azure fraud detection and notification.
Sign up for Azure AD Premium Plan 2
All Admin Agents in the CSP tenant should strengthen their cybersecurity with a free subscription to Azure AD Premium Plan 2 and take advantage of the various capabilities to strengthen your CSP tenant. Azure AD Premium Plan 2 provides extended access to sign-in logs and premium features such as Azure AD Privileged Identity Management (PIM) and risk-based Conditional Access capabilities to strengthen security controls.
Registered partners can sign in to Partner Center to take advantage of this offer.
Adhere to CSP security best practices
It's important to follow all CSP best practices for security. Learn more at Cloud Solution Provider security best practices.
Implementing multi-factor authentication
To comply with the partner security requirements, you must implement and enforce MFA for each user account in your partner tenant. You can do this one of the way following ways:
Implement Azure Active Directory (Azure AD) security defaults. See more in the next section.
Purchase Azure Active Directory Premium for each user account. For more information, see Plan an Azure AD Multi-Factor Authentication deployment.
Note
Registered partners can sign in to Partner Center to take advantage of a free 24-month Azure AD premium license for up to 25 seats per subscription.
Security defaults
One of the options that partners can choose to implement MFA requirements is to enable security defaults in Azure AD. Security defaults offer a basic level of security at no extra cost. Review how to enable MFA for your organization with Azure AD and the key considerations below before enabling security defaults.
Partners who already adopted baseline policies need to take action to transition to security defaults.
Security defaults are the general availability replacement of the preview baseline policies. Once a partner enables the security defaults, they'll no longer be able to enable baseline policies.
With security defaults, all policies will be enabled at once.
For partners who use conditional access, security defaults won't be available.
Legacy authentication protocols will be blocked.
The Azure AD Connect synchronization account is excluded from security defaults and won't be prompted to register for or perform multi-factor authentication. Organizations shouldn't be using this account for other purposes.
For detailed information, see Overview of Azure AD Multi-Factor Authentication for your organization and What are security defaults?.
Note
Azure AD security defaults is the evolution of the baseline protection policies simplified. If you have already enabled the baseline protection policies, then it is highly recommended that you enable security defaults.
Implementation frequently asked questions (FAQ)
Because these requirements apply to all user accounts in your partner tenant, you need to consider several things to ensure a smooth deployment. For example, identify user accounts in Azure AD that can’t perform MFA, and applications and devices in your organization that don't support modern authentication.
Before performing any action, we recommend you complete the following validations.
Do you have an application or device that doesn't support the use of modern authentication?
When you enforce MFA, legacy authentication use protocols such as IMAP, POP3, SMTP, and others will be blocked because they don't support MFA. To address this limitation, use the app passwords feature to ensure the application or device will still authenticate. Review the considerations for using app passwords to determine if they can be used in your environment.
Do you have Office 365 users with licenses associated with your partner tenant?
Before implementing any solution, we recommend that you determine what versions of Microsoft Office users in your partner tenant are using. There's a chance your users will experience connectivity issues with applications like Outlook. Before enforcing MFA, it's important to ensure that you're using Outlook 2013 SP1, or later, and that your organization has modern authentication enabled. For more information, see Enable modern authentication in Exchange Online.
To enable modern authentication for devices running Windows that have Microsoft Office 2013 installed, you'll need to create two registry keys. See Enable Modern Authentication for Office 2013 on Windows devices.
Is there a policy preventing any of your users from using their mobile devices while working?
It's important to identify any corporate policy that prevents employees from using mobile devices while working because it will influence what MFA solution you implement. There are solutions, such as the one provided through the implementation of Azure AD security defaults, that only allow the use of an authenticator app for verification. If your organization has a policy preventing the use of mobile devices, then consider one of the following options:
Deploy a time-based one-time base password (TOTP) application that can run on secure system.
Implement a third-party solution that enforces MFA for each user account in the partner tenant that provides the most appropriate verification option.
Purchase or sign up for free 24-month Azure Active Directory Premium licenses for the affected users.
What automation or integration do you have to use user credentials for authentication?
Because we enforce MFA for each user, including service accounts, in your partner directory, this will affect any automation or integration that uses user credentials for authentication. So it's important that you identify which accounts are being used in these situations. See the following list of sample applications or services to consider:
Control panel used to provision resources on behalf of your customers
Integration with any platform that is used for invoicing (as it relates to the CSP program) and supporting your customers
PowerShell scripts that use the Az, AzureRM, Azure AD, MSOnline, and other modules
The above list isn't comprehensive, so it's important that you perform a complete assessment of any application or service in your environment that uses user credentials for authentication. To contend with the requirement for MFA, you should implement the guidance in the Secure Application Model framework where possible.
Accessing your environment
To better understand what or who is authenticating without being challenged for MFA, we recommend you review the sign-in activity. Through Azure Active Directory Premium, you can use the sign-in report. For more information about this subject, see Sign-in activity reports in the Azure Active Directory portal. If you don't have Azure Active Directory Premium, or if you're looking for a way obtain this sign-in activity through PowerShell, then you'll need to use the Get-PartnerUserSignActivity cmdlet from the Partner Center PowerShell module.
How the requirements are enforced
If your partner’s organization was previously granted an exception for MFA, then users who manage customer tenants as part of the CSP program must have enabled Microsoft MFA requirements before March 1, 2022. Failure to comply with MFA requirements may result in the loss of customer tenant access.
Partner security requirements are enforced by Azure AD, and in turn Partner Center, by checking for the presence of the MFA claim to identify that MFA verification has taken place. Since November 18, 2019, Microsoft has activated additional security safeguards (previously known as “technical enforcement”) to partner tenants.
Upon activation, users in the partner tenant are requested to complete MFA verification when performing any admin on behalf of (AOBO) operations, accessing the Partner Center portal, or calling Partner Center APIs. For more information, see Mandating Multi-factor Authentication (MFA) for your partner tenant.
Partners who haven't met the requirements should implement these measures as soon as possible to avoid any business disruptions. If you're using Azure Active Directory Multi-Factor Authentication or Azure AD security defaults, there are no additional actions you need to take.
If you're using a third-party MFA solution, there's a chance the MFA claim may not be issued. If this claim is missing, Azure AD won't be able determine if the authentication request was challenged by MFA. For information on how to verify your solution is issuing the expected claim, read Testing the Partner Security Requirements.
Important
If your third-party solution does not issue the expected claim, then you will need to work with the vendor who developed the solution to determine what actions should be taken.
Resources and samples
See the following resources for support and sample code:
- Partner Center Security Guidance Group community: The Partner Center Security Guidance Group community is an online community where you can learn about upcoming events and ask any questions that you might have.
- Partner Center .NET Samples: This GitHub repository contains samples, developed using .NET, that will demonstrate how you can implement the Secure Application Model framework.
- Partner Center Java Samples: This GitHub repository contains samples, developed using Java, that will demonstrate how you can implement the Secure Application Model framework.
- Partner Center PowerShell - multi-factor authentication: This multi-factor authentication article provides details on how to implement the Secure Application Model framework using PowerShell.
- Features and licenses for Azure AD Multi-Factor Authentication
- Plan an Azure Active Directory multi-factor deployment
- Testing the Partner Security Requirements using PowerShell