Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Reply
Highlighted
Level 5 Contributor

Should CPVs allow CSPs to access customer tenants using customer logins

While implementing the Secure Application Model and reviewing overall compliance with the new Partner Security Requirements, we discovered that roughly 50% of the Microsoft partners (primarily Indiect Resellers and Advisors) using our application access & manage their customer tenants using Global Admin users in the customer's tenant. Based on our understanding of these security requirements, this violates the spirit & intent of the security requirements Microsoft is implementing on August 1, 2019.

 

Why We Think This: With the convergence of Microsoft Partner Portals and delegated administration rights, Microsoft appears to be consolidating partners' access to customer tenants via Partner Center. Partners that access customer tenants using a customer login to the tenant must maintain shared logins to the customer tenant, with credentials likely stored in an unknown credential store - meaning a breach of the partner's unknown credential store could put all of the partner's customer tenants at risk.

 

To support Microsoft's efforts, we are considering a breaking change to our CPV application that would prevent Microsoft partners from accessing customer tenants using a customer login to the tenant. However, we've run into a roadblock.

 

Roadblock: After 6 months of research, we are unable to find any Microsoft documentation that explicitly states "Every Microsoft Partner is required to use their own Microsoft login to access their customers' tenants. The only exception is emergency access." (or something similar)

 

Why this a Roadblock: Without an official Microsoft document to point to, the Microsoft partners we work with that this breaking change would impact could hold us in breach of contract for implementing an unnessecary breaking change.

 

Request: Can someone point me to a document that addresses the roadblock above? Or does Microsoft endorse partners' ongoing use of customer logins of access & manage customer tenants?

1 ACCEPTED SOLUTION

Accepted Solutions
Microsoft

Re: Should CPVs allow CSPs to access customer tenants using customer logins

@cjmod, your thinking to do away of sharing customer credentials with their resellers and advisors is definitely aligned with the intent of our security requirements for Microsoft CSP, CPV, and Advisor partners.  In principles, we expect all customers (including partners) to adopt Azure Identity Management and access control security best practices.   The specific security requirements that we are enforcing with the CSP program guide are MFA enablement for all partner users and secure application model for API level integration.   Sharing user identity and credentials with an external partner was never a recommendation from Microsoft or a practice that is conforming with security best practices for our customers.

View solution in original post

7 REPLIES 7
Microsoft

Re: Should CPVs allow CSPs to access customer tenants using customer logins

Such a requirement would need to be added to the contract paperwork in order to be effective. But in CSP Program guide, Reseller-Agreement (MCRA) or end customer agreement (MCA) there is no such statement included.

So while Microsoft recommends to use delegated permissions, this is not a requirement. In the end, it is to the customers discretion if they allow the Partner to have an admin account in their tenant (either as guest or via an account created in the customer tenant). 

Also, for some scenarios, like Exchange Online Powershell, there is no other option then to use a user account in the customer tenant.

 

Honestly, I do not see any way to remove the roadblocker by referring to some contractual requirement - since it does not exist. So the only thing what could be done is to make recommendations and design your solution in a way that it guides resellers & advisors to enable MFA for those global admin accounts also (in each customer tenant). So a technical argumentation on why you need to implement a change in your app.

 

I appreciate very much the overall spirit of the idea - this would really help pushing for essential security best practices. For the baseline policies the initial plan was also to enable MFA for Admins for every tenant by default ("Automatically enable policy in the future ")- but this has caused some concern with customers so this plan was - unfortunately - dropped. 

Level 5 Contributor

Re: Should CPVs allow CSPs to access customer tenants using customer logins

|   So while Microsoft recommends to use delegated permissions, this is not a requirement.

 

@JanoschUlmer: This is the issue. I can't find any official document that says "Microsoft recommends partners [blank] to access their customers' tenants." & To me, an "official document" is simply a document published & maintained by Microsoft. Something as simple as an Authentication Best Practices page on https://docs.microsoft.com/partner-center/ under the Connect With Customers section would suffice - but nothing like that seems to exist.

 

In the interest of the ecosystem, we want to make this change. But without something to point to, so we can say "We're following Microsoft recommendations / best practices / etc."... I don't know if we can. Does anything like this exist? & If not, could something like this be published in time for the Effective Date?

Microsoft

Re: Should CPVs allow CSPs to access customer tenants using customer logins

The only guidance I know is this: https://docs.microsoft.com/en-us/azure/cloud-solution-provider/customer-management/administration-delegation 

 

Advantages & Disadvantages of either approach are mentioned here - and shows that for some scenarios it is not possible to use delegated admins. So Microsoft can not expect that all customers/Partner only use DAP, even when this is preferred option there are known scenarios where this does not work.

 

It might even be that security requirements of the customer prohibit using DAP - e.g. when a customer requires that only approved persons are allowed to administrate their environment the customer needs to remove delegated admin permissions for the partner in order to avoid all of their admin agents have access and create specific user accounts for this purpose. 

Moderator

Re: Should CPVs allow CSPs to access customer tenants using customer logins

@cjmod you are correct, to my knowledge, there is no requirement that currently limits you to only using your partner credentials. This means you can continue to manage the customer using the most appropriate method. Our recommendation is that you do not create accounts in a customer's environment for your organization because that can result in a security risk as you mention. Where possible I would highly recommend that you leverage partner credentials that have admin of behalf of privileges. That way you can more easily control the lifecycle management of accounts that belong to your organization. 

 

With all of this said, I appreicate you taking the time to share this feedback with us. I will ensure that this recommendation gets added to our documentation that way you can have it for reference as well.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Microsoft

Re: Should CPVs allow CSPs to access customer tenants using customer logins

@cjmod, your thinking to do away of sharing customer credentials with their resellers and advisors is definitely aligned with the intent of our security requirements for Microsoft CSP, CPV, and Advisor partners.  In principles, we expect all customers (including partners) to adopt Azure Identity Management and access control security best practices.   The specific security requirements that we are enforcing with the CSP program guide are MFA enablement for all partner users and secure application model for API level integration.   Sharing user identity and credentials with an external partner was never a recommendation from Microsoft or a practice that is conforming with security best practices for our customers.

View solution in original post

Level 5 Contributor

Re: Should CPVs allow CSPs to access customer tenants using customer logins

@AdamYeh@idwilliams, & @JanoschUlmer: Do you know where we can find a replacement to the document @JanoschUlmer previously linked?

 

Linkhttps://docs.microsoft.com/azure/cloud-solution-provider/customer-management/administration-delegation

 

I'm able to review it using Google Cache & Previous Versions, but I can't find another doc that details the "Granular delegation of administration" scenarios + Advantages / Challenges - which was extremely useful when discussing the topic with our mutual partners. Thanks!

Microsoft

Re: Should CPVs allow CSPs to access customer tenants using customer logins

@cjmod 

Only available in the archive indeed https://docs.microsoft.com/en-us/previous-versions/azure/cloud-solution-provider/customer-management/administration-delegation

 

Afaik there was some work started to move & rework CSP-specific content to the Partner Center docs, so it was moved to the archive in the azure docs section. 

There is no more up-to-date version of this article, so it still applies and can be used for discussing all the aspects.

Not sure why there was no redirection established :-(