Frequently asked questions about the partner security requirements

Appropriate roles

  • Global admin
  • User admin
  • Admin agent
  • Billing admin
  • MPN partner admin

This article contains some frequently asked questions for the partner security requirements.

Partner Security Requirements

What are the key timelines and milestones?

The terms associated with these security requirements are included with the Microsoft Partner Agreement. You will need to implement these security requirements to be in compliance with your participation in the Cloud Solution Provider program.

What will happen if I do not take any actions?

Partners who fail to abide by these security practices and obligations will not be able to transact in the Cloud Solution Provider program or manage customer tenants leveraging delegate admin rights, once these partner security requirements are enforced. We are in the process of establishing an enforcement date for the requirements and will notify partners of the date with detailed information.

What will happen if I do not implement these partner security requirements?

The Microsoft Partner Agreement requires that you enforce multi-factor authentication for user accounts and adopt the secure application model for interacting with the Partner Center API. Partners who do not abide by these security practices may lose their ability to transact in the Cloud Solution Provider program or manage customer tenants leveraging delegate admin rights.

Why is Microsoft enforcing these new requirements?

Security and privacy of customers and partners is Microsoft's top priority. We continue to see more sophisticated, increasing number of security attacks, primarily related to identity compromise incidents. As preventive controls play a key role in an overall defense strategy to thwart security attacks, we will start enforcing a set of mandatory security requirements to help protect partners and their customers.

Does this apply to all geographies?

Yes, this applies to all geographies. We strongly recommend that all partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) act and adopt these new security requirements immediately. However, these partners are not required to meet the new security requirements effective August 1st. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.

Is it possible to get an exclusion for an account?

No, it is not possible to exclude any user account from the requirement of having MFA enforced. Given the highly privileged nature of being a partner, the Microsoft Partner Agreement requires that multi-factor authentication be enforced for each user account in your partner tenant.

How do I know if I have met the partner security requirements?

You need to complete below steps

  • You will need meet all requirements outlined in the partner security requirements
  • You need to ensure all user accounts in your partner tenant have multi-factor authentication enforced.

To help identify the key areas where you can take actions, we are providing the security requirements status report that is available through Partner Center.

See partner security requirements status for more information on the status report.

Required Actions

What are the key actions I need to take to meet the requirements?

All partners in the CSP program (direct bill, indirect provider and indirect reseller), Advisors, and Control Panel Vendors must meet the requirements.

  1. Enforce MFA for all users

    All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.

    Additional considerations:

    • Indirect providers need to work with indirect resellers to onboard to Partner Center if they have not done so already and encourage their resellers to meet the requirements.
    • Azure MFA is being made available to all users in the partner tenant at no cost through Azure AD security defaults with the only verification method of an authenticator application that supports time based one time passwords (TOTP).
    • Additional verification methods are available through the Azure Active Directory Premium SKUs, if other methods such as a phone call or text message are required.
    • Partners can also leverage a third-party MFA solution for each account when accessing Microsoft commercial cloud services.
  2. Adopt the Secure Application Model framework

    All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

    If you are using a control panel, then you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

    Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)?

MFA is a security mechanism though which individuals are authenticated through more than one required security and validation procedure. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that is not easily duplicated, like a phone)
  • Something you are (biometrics)

What is the cost of enabling MFA?

Microsoft provides MFA at no cost through the implementation of Azure AD security defaults. The only verification option available through this version of MFA is an authenticator application. If a phone call or SMS message is required, then an Azure Active Directory Premium license will need to be purchased. Alternatively, you can utilize a third-party solution to provide MFA for each user in your partner tenant - in this case, it is your responsibility to ensure your MFA solution is being enforced and that you are compliant.

If I already have an MFA solution, what actions do I need to take?

Through these security requirements users in a partner tenant will be required to authenticate using MFA when accessing Microsoft commercial cloud services. Third-party solution can be used to fulfill these requirements. Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. If you would like to test your product for interoperability, please refer to these guidelines.

Important

If you are using a third-party solution, then it is important to verify that the solution is issuing the authentication method reference (AMR) claim that includes the MFA value. See Testing the Partner Security Requirements for details on how validate your third-party solution is issuing the expected claim.

I use multiple partner tenants to transact. Do I need to implement MFA on them all?

Yes, you will need to enforce MFA for each Azure Active Directory tenant associated with the CSP program or the Advisor program. If you plan to purchase an Azure Active Directory Premium license, then a license must be purchased for the user in each Azure Active Directory tenant.

Does each user account in my partner tenant need to have MFA enforced?

Yes, each user will need to have MFA enforced. Note if you are using Azure AD security defaults, then there is no additional action required because that features enforces MFA for all user accounts. However, enabling security defaults is a free and easy way to ensure your user accounts are MFA compliant and not impacted when MFA is enforced.

I am a direct bill partner with Microsoft. What do I need to do?

Direct bill Cloud Solution Provider partners must enforce MFA for each user in their partner tenant.

I am an indirect reseller and only transact though a distributor. Do I still have to do this?

All indirect resellers are required to enforce MFA for each user in their partner tenant. This is an action that the indirect reseller must perform.

I do not use the Partner Center API. Do I still need to implement MFA?

Yes, this security requirement is for all users including partner admin users and end-users in a partner tenant.

Which third-party vendors provide MFA solutions compatible with Azure Active Directory?

There are many independent reviews of MFA solutions online, such as Gartner. When reviewing MFA vendors and solutions, partners must ensure the solution they choose is compatible with Azure Active Directory.

Microsoft no longer provides validation testing to independent identity providers for compatibility with Azure Active Directory. If you would like to test your product for interoperability, please refer to these guidelines.

For more information see the Azure AD federation compatibility list.

How can I test MFA in our integration sandbox?

The Azure AD security defaults feature should be enabled or alternatively you can leverage third-party solution that utilizes federation.

Will enabling MFA effect how I interact with my customer's tenant?

No. The fulfillment of these security requirements will not impact how you manage your customers. Your ability to perform delegated administrative operations will not be interrupted.

Are my customers subject to the partner security requirements?

No, it is not required that you enforce MFA for each user in your customer's Azure AD tenants. However, it is recommended that you work with each customer to determine how best to protect their users.

Can any user be excluded from this requirement?

No, each user, including service accounts, in your partner tenant will be required to authenticate using MFA.

Do the partner security requirements apply to the integration sandbox?

Yes, the partner security requirements apply to the integration sandbox. This means you will need to implement the appropriate MFA solution for users in the integration sandbox tenant. It is recommended that you implement of Azure AD security defaults to provide MFA.

How do I configure an emergency access (break glass) account?

It considered best practice to create one or two emergency access accounts to prevent being inadvertently locked out of your Azure AD tenant. With respect to the partner security requirements, it is required that each user authenticate using MFA. So, this means you will need to modify the definition of an emergency access account. It could be an account that is leveraging a third-party solution for MFA.

If I am using a third-party solution is Active Directory Federation Service (ADFS) required?

No, it is not required to have Active Directory Federation Service (ADFS) if you are using a third-party solution. It is recommended that you work with the vendor of the solution determine what the requirements for their solution are.

Is it a requirement to enable Azure AD security defaults?

No, it is not required that you enable Azure AD security defaults.

Can conditional access be used to meet the MFA requirement?

Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you will not be able to leverage feature of conditional access that circumvent the requirement for MFA.

Will the service account used by Azure AD Connect be impacted by the partner security requirements?

No, the service account used by Azure AD Connect will not be impacted by the partner security requirements. If you experience an issue with Azure AD Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

Secure Application Model

Who should adopt the secure application model to meet the requirements?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information. All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services.

What is the Secure Application Model?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that leverages Multi-Factor Authentication. See the Secure Application Model guide for more information.

How do I implement the Secure Application Model?

All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so may result in a disruption due to MFA deployment. The following resources provide an overview and guidance regarding how to adopt the model.

If you are using a control panel, then you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

Control panel vendors are required to onboard to Partner Center as control panel vendor and start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Who is a Control Panel Vendor (CPV)?

A Control Panel vendor is an independent software vendor that develops apps for use by CSP Partners to integrate with Partner Center APIs. A Control Panel vendor is not a CSP Partner with direct access to Partner Center dashboard or APIs. A detailed description is available within the Partner Center: Secure Applications Model guide.

Does the Secure Application Model need to be implemented for the Partner Center API/SDK only?

Through the enforcing multi-factor authentication for all user accounts, any automation or integration that is intended to run non-interactively will be impacted. While the partner security requirements require you to enable the secure application model for the Partner Center API it can be leveraged to address the need for a second factor of authentication with automation and integration. Note that resource being accessed will need to support access token based authentication.

I am using automation tools such as PowerShell. How do I implement the Secure Application Model?

If your automation is intended to be run non-interactively and relies on user credentials for authentication, then you will need to implement the Secure Application Model. See Secure Application Model | Partner Center PowerShell for guidance on how to implement this framework. Note, not all automation tools provide the ability to authenticate using access tokens. If you need help understanding what changes need to be made, please post a message on the Partner Center Security Guidance group.

It is recommended that you use a service account that has been assigned the least privileged permissions. With respect to the Partner Center API this means you should use an account that has either been assigned the Sales Agent or Admin Agents role.

It is best practice to use least privileged identifies that way you are reducing the risk. It is not recommended to use an account that has global admin privileges because that would be providing more permissions than what is required

I am a CSP partner. How do I know if my Control Panel Vendor (CPV) is working on implementing the solution or not?

For partners using a Control Panel Vendor (CPV) solution to transact in the Cloud Solution Provider (CSP) program, it is your responsibility to consult with your CPV.

I am a CPV. How do I enroll?

To enroll as a control panel vendor (CPV), follow the guidelines provided here.

In order to receive the enrollment link, CPVs must contact CPVHelp@microsoft.com and provide a Microsoft employee sponsor who has a business relationship with the CPV or knows their business. For example, a Partner Development Manager (PDM).

Once you enroll in Partner Center and register your applications, you will have access to Partner Center APIs. If you are a new CPV, you will receive your sandbox information via a Partner Center notification. Once you have completed enrollment as a Microsoft CPV and accepted the CPV agreement, you can:

  1. Manage multi-tenant application (add applications to Azure portal, register and un-register applications in Partner Center). Note: CPVs must register their applications in Partner Center to get authorized for Partner Center APIs. Adding applications to the Azure portal alone does not authorize CPV applications for Partner Center APIs.
  2. View and manage your CPV profile.
  3. View and manage your users who need access to CPV capabilities. The only role a CPV can have is Global Admin.

I am using the Partner Center SDK. Will SDK automatically adopt the Secure Application Model?

No, you will need to follow the guidelines provided in the Secure Application Model guide.

Can I generate a refresh token for the secure application model with accounts that do not have MFA enabled?

Yes, a refresh token can be generated using an account that does not have MFA enforced. However, this should not be done because any token generated using an account that does not have MFA enabled will not be able to access resources due to the requirement for MFA.

How should my application obtain an access token if we enable MFA?

You will need to follow the Secure Application Model guide which provides detail on how to do so whilst complying with the new security requirements. You can find .NET sample code here and Java sample code here.

As a CPV, do I create an Azure AD application in our CPV tenant or the tenant of the CSP partner?

The CPV will need to create the Azure Active Directory application in the tenant associated with their enrollment as a CPV.

I am a CSP that is using app only authentication. Do I need to make any changes?

App only authentication is not impacted as user credentials are not being used to request an access token. If user credentials are being shared, then control panel vendors (CPVs) must adopt the Secure Application Model framework and purge any existing partner credentials they have.

As a CPV can I leverage the app only authentication style to get access tokens?

No, Control Panel Vendor partners cannot utilize the app only authentication style to request access tokens on the behalf of partner. They should implement the secure application model, which utilizes the app + user authentication style.

Enforcement

I am using a third-party MFA solution and I am being blocked, what should I do?

To validate the account accessing resources was challenged for multi-factor authentication, we will be checking the authentication method reference claim to see if MFA is listed. Some third-party solutions do not issue this claim or do not include the MFA value. If the claim is missing, or the MFA value is not listed, then there is no way to determine if the authenticated account was challenged for multi-factor authentication. You will need to work with the vendor for your third-party solution to determine what actions need to be taken so the solution will issue the authentication method reference claim.

See Testing the Partner Security Requirements If you are unsure if your third-party solution is issuing the expected claim or not.

MFA is blocking me from supporting my customer using AOBO, what should I do?

The technical enforcement for the partner security requirements will be checking if the authenticated account has been challenged for multi-factor authentication. If the account has not been, then you will be redirected to the login page and prompted to authenticate again. If your domain is not federated, after successfully authenticating you will prompted to setup multi-factor authentication. Once that is completed you will be able to manage your customers using AOBO. If your domain is federated, then you will need to ensure the account is being challenged for multi-factor authentication.

Key Resources

How to get started

Resources for adopting secure application model

Support

Where can I get support?

For support resources to meet the security requirements, if you have Advanced Support for Partners (ASfP) contact your Service Account Manager; for Premier Support for Partners agreement (PSfP), contact your Service Account Manager and Technical Account Manager.

How do I get technical information and support to help me adopt secure application model framework?

Technical product support options for Azure Active Directory are available through your MPN benefits. Partners with access to an active ASfP or PSfP subscription can work with their associated account manager (SAM/TAM) to best understand the options available to them.

How do I contact support when I've lost access to Partner Center?

Go to Microsoft Partner Support, then choose Show all support options. You will see the available options for contacting Microsoft Partner Support. These include a phone number to call support, and an option to chat with support.

Where can I find more information about technical common issues?

Information regarding the technical common issues can be found here.