IMPORTANT UPDATE: Partner Security Requirements - Activating Security Safeguards Starting Nov 18, 2019
Target partner audiences
- All partners participating in the Cloud Solution Provider (CSP) program that transact Microsoft commercial cloud services: direct bill partners, Indirect providers, and Indirect resellers
- All Control Panel Vendors
- All Advisor program partners
Greater and ongoing security and privacy safeguards are among our top priorities. To help protect partners and customers, in June 2019, Microsoft introduced new mandatory security requirements for partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners. Effective August 1, 2019, the terms associated with these security requirements in the Cloud Solution Provider Program Guide went into effect. All these partners must meet the requirements to stay complaint with the program guidelines and protect their businesses.
Starting November 18, 2019, Microsoft will begin the activation of additional security safeguards to partner tenants. This additional security safeguards can help partners secure their tenants as well as customers, and help mitigate security threats by preventing unauthorized access.
What will happen when these security safeguards are activated?
Upon activation, users in the partner tenant will be requested to complete multi-factor authentication (MFA) verification when performing any admin on behalf of (AOBO) operations. We will continue to extend the scope of the activation of security safeguards to additional scenarios and user roles, providing partners with advance notice. For more information, please refer to this documentation. Partners who have not met the requirements should implement these measures as soon as possible to avoid any business disruptions.
What should partners do to meet the requirements and stay compliant?
The partner security requirements remain that all partners in the CSP program and Advisor partners must meet the following requirements to stay compliant. Make sure to carefully review the security requirements using step-by-step guide.
- Enforce multi-factor authentication (MFA) for all users in partner tenants
- Adopt the Secure Application Model framework
We highly encourage partners to invest in security measures to safeguard their own business as well as their customers’ data. Not implementing these measures can expose partner’s own business and customers’ data to potential security vulnerabilities with undesirable consequences. Partners who do not implement the security requirements may put their participation in the CSP program and Advisor at risk.
How can partners check their status of implementing the requirements?
What are the key resources partners can refer to?
Check out the recently updated resources below:
- Step-by-step guide
- Frequently asked questions
- Partner Center Security Guidance community group
- Microsoft office hours with technical experts
Note: Security defaults are now available as the successor of the preview baseline protection policies. Please learn more details to take required actions.
For partners who have invested in implementing the requirements, we sincerely appreciate your partnership and commitment to ensuring our ecosystem runs on trust.
What role sould be given to a user to see the page
The MPM admin is not able to see.
The only user that worked was global admin .
@paulorosa : Yes, this was restricted to global admin. Afaik security admins should also be able to use the Powershell mthod: https://docs.microsoft.com/en-us/powershell/module/partnercenter/get-partnerusersigninactivity?view=partnercenterps-3.0
And user admins can also access the AzureAD sign-in logs to check who is using MFA.
MPN admin does not have access to any of the above mentioned report.
We received conflicting messaging around the enforcement for blocking legacy protocols. Back on 1/9, we received a message from Microsoft that stated legacy protocols will be blocked by Feb 29th. I received a Microsoft email through a mutual customer stating, "Blocking legacy authentication will not be enforced for partners at this time. However, as most events related to compromised identities come from sign-in attempts using legacy authentication, partners are encouraged to move away from these older protocols."
Has Microsoft changed on their position for enforcing the blocking of legacy protocols for Microsoft CSP partners?
@Lfortson : Currrently trying to get more information on this myself. I can confirm that, to my own surprise, legacy authentication was planned not to be blocked for Partner tenants when using security defaults (in end customer tenants AAD security defaults would still block those), so you you could still use e.g. App Passwords. However, this was only a temporary exception and I can't tell how long this was planned to be available.
Also I have received numerous reports of Partner where this does not work - for this you can also reach out to support.
However, because the exception was only meant to be temporary I personally would suggest to use custom CA policies if you know that you need legacy protocols working for the forseeable future.