Frequently asked questions about the partner security requirements

This article contains some frequently asked questions for the partner security requirements.

Partner Security Requirements

What are the new partner security requirements?

To protect our partners and your customers, we are requiring partners to take the following actions immediately:

  1. Enable Multi-Factor Authentication (MFA) for all users in partner tenants. All users in partner tenants must use Multi-Factor Authentication (MFA) when signing into Microsoft commercial cloud services or to transact in CSP through Partner Center or via APIs. Through the enablement of the baseline protection policies MFA is available at no cost for all users of partner tenants.

  2. Adopt the Secure Application Model framework. All partners integrating with a Microsoft API such as Azure Resource Manager, Microsoft Graph, and the Partner Center API must adopt the Secure Application Model framework to avoid any disruption to their integration when the baseline policies are enabled.

Enabling Multi-Factor Authentication (MFA) and adopting the Secure Application Model framework will help protect your infrastructure and safeguard your customer’s data from potential security risks such as identify theft or other fraud incidents.

Which partners need to meet the requirements?

These requirements are for the following partner groups:

  • All partner organizations participating in the Cloud Solution Provider (CSP) program that are transacting using the Microsoft commercial cloud services
    • Direct bill partners
    • Indirect providers
    • Indirect resellers
  • All Control Panel Vendors
  • All Advisor program partners

All partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) are not required to meet the new security requirements effective August 1st. However, we strongly recommend that all partners using a sovereign cloud act and adopt these new security requirements immediately. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.

What are the key timelines and milestones?

The terms associated with these security requirements will be added immediately to the Program Guide for the Cloud Solution Provider program. You will need to implement these security requirements to be in compliance with your participation in the CSP program effective August 1, 2019.

What will happen if I do not take any actions?

Partners who fail to abide by these security practices and obligations will not be able to transact in the Cloud Solution Provider program or manage customer tenants leveraging delegate admin rights, once these partner security requirements are enforced. We are in the process of establishing an enforcement date for the requirements and will notify partners of the date with detailed information.

What will happen if I don’t implement MFA as per this new security requirement by August 1, 2019?

Starting August 1, 2019, the terms associated with these security requirements in the Program Guide for the Cloud Solution Provider program went into effect. All partners participating in the CSP program should meet the requirements to be in compliance with the terms and protect their business. Partners who do not abide by these security practices may lose their ability to transact in the CSP program or manage customer tenants leveraging delegate admin rights once we start technical enforcement for the partner security requirements in the near future. We are establishing an enforcement date and will notify partners of that date soon.

Why is Microsoft enforcing these new requirements?

Security and privacy of customers and partners is Microsoft’s top priority. We continue to see more sophisticated, increasing number of security attacks, primarily related to identity compromise incidents. As preventive controls play a key role in an overall defense strategy to thwart security attacks, we will start enforcing a set of mandatory security requirements to help protect partners and their customers.

Does this apply to all geographies?

Yes, this applies to all geographies. We strongly recommend that all partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) act and adopt these new security requirements immediately. However, these partners are not required to meet the new security requirements effective August 1st. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.

Is it possible to get an exclusion for an account?

No, it is not possible to exclude any account from the requirement of having MFA enforced. Given the highly privileged nature of being a partner, the Program Guide for the Cloud Solution Provider program requires that MFA be enforced for each account in your partner tenant.

Required Actions

What are the key actions I need to take to meet the requirements?

All partners in the CSP program (direct bill, indirect provider and indirect reseller), Advisors, and Control Panel Vendors must meet the requirements.

  1. Enforce MFA for all users

    All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant. This can be accomplished by enabling the Require MFA for admins, the End user protection baseline, and any future baseline policies. The functionality provided by the baseline policies will continue to evolve to ensure partners and customers are protected from the ever-changing security threats. So, it is important that you review the baseline policies documentation to learn more.

    Additional considerations:

    • Indirect providers need to work with indirect resellers to onboard to Partner Center if they have not done so already and encourage their resellers to meet the requirements.
    • Azure MFA is being made available to all users in the partner tenant at no cost through the baseline policies with the only verification method of using the Microsoft Authenticator App.
    • Additional verification methods are available through the Azure Active Directory Premium SKUs, if other methods such as a phone call or text message are required.
    • Partners can also leverage a third-party MFA solution for each account when accessing Microsoft commercial cloud services.
  2. Adopt the Secure Application Model framework

    All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

    If you are using a control panel, then you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

    Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)?

MFA is a security mechanism though which individuals are authenticated through more than one required security and validation procedure. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

What are baseline protection policies?

Microsoft baseline protection policies (currently preview) are a set of predefined policies that help protect organizations against many common attacks. These common attacks can include password spray, replay, and phishing. Baseline policies are available in all editions of Azure Active Directory. Microsoft is making these baseline protection policies available to everyone because identity-based attacks have been on the rise over the last few years. The goal of these policies is to ensure that all organizations have a baseline level of security enabled at no extra cost.

Note

Microsoft baseline policies and related functionalities will continue to evolve to better protect partners and customers from ever-changing security threats. There may be some naming and taxonomy changes with the baseline policies soon. We strongly recommend that you visit the baseline policies pages directly to check out the latest information.

What baseline policies must I enable?

If you are planning to utilize the current baseline protection policies to provide MFA for each account in the partner tenant, then you must enable the Require MFA for Admins and End user protection baseline policies. These baseline protection policies will fulfill the requirement for MFA for each user in the partner tenant at no cost only for the partners who are using Microsoft Authenticator Apps via mobile device.

The Require MFA for admins baseline policy is leveraged to administrative users in the partner directory, and the End user protection baseline policy is to leveraged to protect nonadministrative users in the partner tenant. Enabling these policies will require users to register for MFA. After the user successfully registered, they will be prompted for MFA during sign-in attempts based on the criteria of the policy. The functionality provided by the baseline policies will continue to evolve to ensure partners and customers are protected from the ever-changing security threats. So, it is important that you review the baseline policies documentation to learn more.

How do I enable the Require MFA for admins policy?

The Require MFA for admins baseline policy can be enabled through the Azure management portal. See Baseline policy: Require MFA for admins for details on how to enable this baseline policy.

How do I enable the End user protection policy?

The End user protection baseline policy can be enabled through the Azure management portal. See Baseline policy: End user protection for details on how to enable this baseline policy.

Will the baseline policies be automatically enabled?

No, to enable these policies a user that is member of the global administrator, security administrator, or conditional access administrator roles will need to configure the policies to Use policy immediately.

What is the cost of enabling MFA?

Microsoft provides MFA at no cost through the implementation of the Require MFA for admin and End user protection baseline protection policies. The only verification option available through this version of MFA is the Microsoft Authenticator app. If a phone call or SMS message is required, then an Azure Active Directory Premium license will need to be purchased. Alternatively, you can utilize a third-party solution to provide MFA for each user in your partner tenant – in this case, it is your responsibility to ensure your MFA solution is being enforced and that you are compliant.

If I already have an MFA solution, what actions do I need to take?

Through these security requirements users in a partner tenant will be required to authenticate using MFA when accessing Microsoft commercial cloud services. Third-party solution can be used to fulfill these requirements. Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. If you would like to test your product for interoperability, please refer to these guidelines.

Important

If you are using a third-party solution, then it is important to verify that the solution is issuing the authentication method reference (AMR) claim that includes the MFA value. See Testing the Partner Security Requirements for details on how validate your third-party solution is issuing the expected claim.

What verification method can I use to authenticate MFA?

Microsoft provides MFA at no cost through the implementation of the Require MFA for admin and End user protection baseline protection policies. The only verification option available through this version of MFA is the Microsoft Authenticator app. If a phone call or SMS message is required, then an Azure Active Directory Premium license will need to be purchased. Alternatively, you can utilize a third-party solution to provide MFA for each user in your partner tenant – in this case, it is your responsibility to ensure your MFA solution is being enforced and that you are compliant.

I use multiple partner tenants to transact. Do I need to implement MFA on them all?

Yes, you will need to enforce MFA for each Azure Active Directory tenant associated with the CSP program or the Advisor program. If you plan to purchase an Azure Active Directory Premium license, then a license must be purchased for the user in each Azure Active Directory tenant.

Does each user in my partner tenant need to have MFA enforced?*

The Require MFA for admin and End user protection baseline protection policies will enforce MFA for each user in your partner tenant. If you are leveraging these policies to provide MFA and are using the Microsoft Authenticator application, there is no need to purchase any additional licenses. Otherwise, you will need to purchase an appropriate solution to provide MFA to each user in your partner tenant.

I am a direct bill partner with Microsoft. What do I need to do?

Direct bill Cloud Solution Provider partners must enforce MFA for each user in their partner tenant.

I am an indirect reseller and only transact though a distributor. Do I still have to do this?

All indirect resellers are required to enforce MFA for each user in their partner tenant. This is an action that the indirect reseller must perform.

I do not use the Partner Center API. Do I still need to implement MFA?

Yes, this security requirement is for all users including partner admin users and end-users in a partner tenant.

Which third-party vendors provide MFA solutions compatible with Azure Active Directory?

There are many independent reviews of MFA solutions online, such as Gartner. When reviewing MFA vendors and solutions, partners must ensure the solution they choose is compatible with Azure Active Directory.

Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. If you would like to test your product for interoperability, please refer to these guidelines.

For more information see the Azure AD federation compatibility list.

How can I test MFA in our integration sandbox?

The Require MFA for admin and End user protection baseline policies should be enabled for your integration sandbox tenant. Through this policy each user in the tenant will be required to authenticate using MFA.

Will enabling MFA effect how I interact with my customer’s tenant?

No. The fulfillment of these security requirements will not impact how you manage your customers. Your ability to perform delegated administrative operations will not be interrupted.

Are my customers subject to the partner security requirements?

No, it is not required that you enforce MFA for each user in your customer's Azure AD tenants. However, it is recommended that you work with each customer to determine how best to protect their users.

Can app passwords be used with the baseline protection policies?

Yes, app passwords can be used. You should review the considerations for using app passwords documented here to determine if they are supported for your need.

Can any user be excluded from this requirement?

No, each user, including service accounts, in your partner tenant will be required to authenticate using MFA.

Do the partner security requirements apply to the integration sandbox?

Yes, the partner security requirements apply to the integration sandbox. This means you will need to implement the appropriate MFA solution for users in the integration sandbox tenant. It is recommended that you implement the baseline protection policies to provide MFA.

How do I configure an emergency access (break glass) account?

It considered best practice to create one or two emergency access accounts to prevent being inadvertently locked out of your Azure AD tenant. With respect to the partner security requirements, it is required that each user authenticate using MFA. So, this means you will need to modify the definition of an emergency access account. It could be an account that is leveraging a third-party solution for MFA.

How will guest users be impacted by the partner security requirements?

Guest users will be required to authenticate using MFA, when accessing resources in your partner tenant. The partner security requirements will have no impact on the guest user will accessing resources in their own tenant.

If I am using a third-party solution is Active Directory Federation Service (ADFS) required?

No, it is not required to have Active Directory Federation Service (ADFS) if you are using a third-party solution. It is recommended that you work with the vendor of the solution determine what the requirements for their solution are.

Is it a requirement to enable the baseline protection policies?

No, it is not required that you enable the baseline protection policies. The only requirement is that you enforce MFA for each user, including service accounts, in your partner tenant.

Can conditional access be used to meet the MFA requirement?

Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you will not be able to leverage feature of conditional access that circumvent the requirement for MFA.

What verification options are provided through the implementation of the baseline protection policies?

With respect to the version of MFA that is available through the implementation of the baseline protection polices, the only verification option available is an authenticator app. The use of a phone call and text message message is considered less secure. So, these options are not available through this version of MFA.

Will the service account used by Azure AD Connect be impacted by the partner security requirements?

No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

Secure Application Model

Who should adopt the secure application model to meet the requirements?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information. All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services.

What is the Secure Application Model?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information.

How do I implement the Secure Application Model?

All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

If you are using a control panel, then you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Who is a Control Panel Vendor (CPV)?

A Control Panel vendor is an independent software vendor that develops apps for use by CSP Partners to integrate with Partner Center APIs. A Control Panel vendor is not a CSP Partner with direct access to Partner Center dashboard or APIs. A detailed description is available within the Partner Center: Secure Applications Model guide.

Does the Secure Application Model need to be implemented for the Partner Center API/SDK only?

Once both the Require MFA for admins and End user protection baseline policies are enabled each user will be required to authenticate using Multi-Factor Authentication. This means you will need to implement the Secure Application Model for each API, CLI, and PowerShell module (e.g. Azure, Azure AD, MS Online, Partner Center, etc.) that is intended to run non-interactively and relies on the use of user credentials for authentication.

I am using automation tools such as PowerShell. How do I implement the Secure Application Model?

If your automation is intended to be run non-interactively and relies on user credentials for authentication, then you will need to implement the Secure Application Model. See Secure Application Model | Partner Center PowerShell for guidance on how to implement this framework. Note, not all automation tools provide the ability to authenticate using access tokens. If you need help understanding what changes need to be made, please post a message on the Partner Center Security Guidance group.

It is recommended that you use a service account that has been assigned the least privileged permissions. With respect to the Partner Center API this means you should use an account that has either been assigned the Sales Agent or Admin Agents role.

It is best practice to use least privileged identifies that way you are reducing the risk. It is not recommended to use an account that has global admin privileges because that would be providing more permissions than what is required

I am a CSP partner. How do I know if my Control Panel Vendor (CPV) is working on implementing the solution or not?

For partners using a Control Panel Vendor (CPV) solution to transact in the Cloud Solution Provider (CSP) program, it is your responsibility to consult with your CPV.

I am a CPV. How do I enroll?

To enroll as a control panel vendor (CPV), follow the guidelines provided here.

In order to receive the enrollment link, CPVs must contact CPVHelp@microsoft.com and provide a Microsoft employee sponsor who has a business relationship with the CPV or knows their business. For example, a Partner Development Manager (PDM).

Once you enroll in Partner Center and register your applications, you will have access to Partner Center APIs. If you are a new CPV, you will receive your sandbox information via a Partner Center notification. Once you have completed enrollment as a Microsoft CPV and accepted the CPV agreement, you can:

  1. Manage multi-tenant application (add applications to Azure portal, register and un-register applications in Partner Center). Note: CPVs must register their applications in Partner Center to get authorized for Partner Center APIs. Adding applications to the Azure portal alone does not authorize CPV applications for Partner Center APIs.
  2. View and manage your CPV profile.
  3. View and manage your users who need access to CPV capabilities. The only role a CPV can have is Global Admin.

I am using the Partner Center SDK. Will SDK automatically adopt the Secure Application Model?

No, you will need to follow the guidelines provided in the Secure Application Model guide.

Can I generate a refresh token for the secure application model with accounts that do not have MFA enabled?

Yes, a refresh token can be generated using an account that does not have MFA enforced. However, this should not be done because any token generated using an account that does not have MFA enabled will not be able to access resources due to the requirement for MFA.

How should my application obtain an access token if we enable MFA?

You will need to follow the Secure Application Model guide which provides detail on how to do so whilst complying with the new security requirements. You can find .NET sample code here and Java sample code here.

As a CPV, do I create an Azure AD application in our CPV tenant or the tenant of the CSP partner?

The CPV will need to create the Azure Active Directory application in the tenant associated with their enrollment as a CPV.

I am a CSP that is using app only authentication. Do I need to make any changes?

App only authentication is not impacted as user credentials are not being used to request an access token. If user credentials are being shared, then control panel vendors (CPVs) must adopt the Secure Application Model framework and purge any existing partner credentials they have.

As a CPV can I leverage the app only authentication style to get access tokens?

No, Control Panel Vendor partners cannot utilize the app only authentication style to request access tokens on the behalf of partner. They should implement the secure application model, which utilizes the app + user authentication style.

Enforcement

I am using a third-party MFA solution and I am being blocked, what should I do?

To validate the account accessing resources was challenged for multi-factor authentication, we will be checking the authentication method reference claim to see if MFA is listed. Some third-party solutions do not issue this claim or do not include the MFA value. If the claim is missing, or the MFA value is not listed, then there is no way to determine if the authenticated account was challenged for multi-factor authentication. You will need to work with the vendor for your third-party solution to determine what actions need to be taken so the solution will issue the authentication method reference claim.

See Testing the Partner Security Requirements If you are unsure if your third-party solution is issuing the expected claim or not.

MFA is blocking me from supporting my customer using AOBO, what should I do?

The technical enforcement for the partner security requirements will be checking if the authenticated account has been challenged for multi-factor authentication. If the account has not been, then you will be redirected to the login page and prompted to authenticate again. If your domain is not federated, after successfully authenticating you will prompted to setup multi-factor authentication. Once that is completed you will be able to manage your customers using AOBO. If your domain is federated, then you will need to ensure the account is being challenged for multi-factor authentication.

Key Resources

How to get started

Resources for enabling MFA

Resources for adopting secure application model

Support

Where can I get support?

For support resources to meet the security requirements, if you have Advanced Support for Partners (ASfP) contact your Service Account Manager; for Premier Support for Partners agreement (PSfP), contact your Service Account Manager and Technical Account Manager.

How can I get help with enabling the baseline policies?

  • Partners can leverage the Advisory hours from MPN benefits to get more detailed guidance on how to implement the security requirements.
  • Technical product support options for Azure Active Directory are available through your MPN benefits. Partners with access to an active ASfP or PSfP agreements can work with their associated account manager (SAM/TAM) to best understand the options available to them.
  • Support for baseline policies implementation with Partner Center can be accessed via Partner Center service request. Select MFA & Secure Application Model as the topic.

How do I get technical information and support to help me adopt secure application model framework?

Technical product support options for Azure Active Directory are available through your MPN benefits. Partners with access to an active ASfP or PSfP subscription can work with their associated account manager (SAM/TAM) to best understand the options available to them.

How do I contact support when I've lost access to Partner Center?

Go to Microsoft Partner Support, then choose Show all support options. You will see the available options for contacting Microsoft Partner Support. These include a phone number to call support, and an option to chat with support.

Where can I find more information about technical common issues?

Information regarding the technical common issues can be found here.