[Important Announcement] Implement security requirements immediately to safeguard your business
Target partner audiences
- All partner organizations participating in the Cloud Solution Provider (CSP) program that transact using Microsoft commercial cloud services
- Direct bill partners
- Indirect providers
- Indirect resellers
- All Control Panel Vendors
- All Advisor program partners
Cybersecurity continues to be one of the top challenges of our digital age. We frequently see media reporting on security incidents across all industries and around the globe, with more sophisticated attack techniques such as supply chain attacks, phishing and others continuing to evolve. The impact of a security incident on an organization averages several million dollars, and more serious events can cost hundreds of millions of dollars.
Greater security and privacy safeguards are among our top priorities. We know that the best defense is prevention and that we are only as strong as our weakest link. That’s why we are requiring partners to take action and ensure they have appropriate security protections in place.
To help safeguard partners and customers, Microsoft is introducing a set of mandatory security requirements for partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners.
By August 1, 2019 these partners are required to take following actions:
- Enable multi-factor authentication for all users in partner tenants
All users in partner tenants must use multi-factor authentication (MFA) when signing into Microsoft commercial cloud services or transacting in CSP through Partner Center or via APIs. Baseline protection policies that include multi-factor authentication are available at no cost for all users of partner tenants.
- Adopt the Secure Application Model framework
All partners integrating with a Microsoft API such as Azure Resource Manager, Microsoft Graph, and the Partner Center API must adopt the Secure Application Model framework to avoid any disruption to their integration when the baseline policies are enabled.
The terms associated with these security requirements will be added immediately to the Cloud Solution Provider Program Guide. From August 1, 2019 all partners participating in the CSP program should be in compliance with the terms. For Advisors, the same contractual requirements will be in place.
Partners who do not implement the mandatory security requirements will not be able to transact in the Cloud Solution Provider program or manage customer tenants leveraging delegate admin rights, once these partner security requirements are technically enforced. We’re in the process of establishing an enforcement date for the requirements and will notify partners of the date with detailed information.
The resources below will help you start planning and implementing these security requirements immediately.
- Partner security requirements implementation step-by-step guide
- Partner Center Security Guidance community group
- Office hours with technical experts (starting June 27)
- Partner security requirements resources gallery (including FAQs document and other resources)
Thank you for your commitment and partnership.
Note: We strongly recommend that all partners transacting through a sovereign cloud (21Vianet, US Government, and Germany) take action and adopt these new security requirements immediately. However, these partners are not required to meet the new security requirements effective August 1. Microsoft will provide additional details regarding the enforcement of these security requirements for sovereign clouds in the future.
Does conditional access count as MFA and can you set that for example certain account from trusted location can access tenant without MFA challenge and still be compliant? Or does it have to be an unconditional MFA policy?
You can find the updated documentation here https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#can-conditional-access-be-used.
To add a snip of the answer : Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you will not be able to leverage feature of conditional access that circumvent the requirement for MFA.
- I also suggest you join one of the available office hours to learn more : aka.ms/partnerMFAdeadline:
- Please refer to the existing threads on the community: https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/bd-p/PC_Security_Guidance_MFA
Hope this helps,
I'm not sure I get it.
If you are "in the process of establishing an enforcement date for the requirements and will notify partners of the date with detailed information.", what does the 1st of august 2019 represent?
Some kind of informal deadline?