Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
chighland
Level 1 Contributor

Baseline Enabled but Status is Non-compliant

I attended the Partner Insider call, enabled all of the baselines per Microsoft's instructions, rolled out MFA, and had it completed before the deadline.   I just received an email from our PDM that we are non compliant.  I have no idea what to do.  The baselines were supposed to take care of everything I thought?  How do we request someone from Microsoft to look in our tenant and resolve these issues? I cannot go through these forums every day looking for answers, it's simply not scalable. I'm at the end of what I can do by myself.  At this point I'm just waiting for the next email that says I can't sell CSP anymore.  

 

At the very least is there going to be someone I can talk to at Ignite? 

4 REPLIES 4
JanoschUlmer
Microsoft

@chighland : As a Partner with Action Pack, Silver or Gold Competency status you can raise an advisory request in the Technical PreSales & Deployment Services team to get direct guidance - see the option to create a request here: https://partner.microsoft.com/en-us/support/azure-presales-deployment#tab-content-2

If you have an Advanced Suport for Partners support contract you can raise a cloud consult request via your service acount manager, also possible via your TAM if you have Premier support. Or ask the PDM to contact me directly.

 

However, @cstelzer has explained it quite well that this is the expected behavior of the baseline policy, some oof this is already documented.

 

Just a few more additional notes - your PDM might refer to a separate tenant. The PDM is using an internal report that is different from the report you see on Partner Center - the internal report just lists the all the relevant tenants for a Partner where the configuration seems not to be sufficient (And it is quite common that Partners have multiple tenants, - e.g. Sandbox tenant). Usually, by enabling the baseline policies the tenant should be marked as compliant in the internal report so I wonder if the PDM refered to the correct tenant. You can ask your PDM for the tenant name/id to ensure you are talking about the same environment.

Also note that there is no plan to block a Partner from CSP alltogether when there are issues, the technical enforcement (details & date TBD) will check each login if it is in compliance, so the risk is "only" that users not doing MFA might be blocked from logging in. And by enabling the baseline policies you fulfill the requirements documented in the CSP program guide, so while technically there might be reasons compliance is not showing 100%, from contract perspective the baseline policies take care of everything.

 

I will ask if there is some session in this or relevant experts for this attending Ignite.

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
chighland
Level 1 Contributor

@JanoschUlmer  Thank you for replying!  I don't have advanced or premier support, but I'll definitely look into those plans. It may be a good investment for our future. I can do a Technical Presales though. 

 

We don't have another partner tenant, so that should be good. I'll ask him just to make sure.  I think you and @cstelzer are correct on your assessment though. 

 

I'm glad it wont shut down CSP business. That makes me feel a lot better about this.  I appreciate your help and definitely let me know if there is something partner related at ignite.  I'll show up.

cstelzer
Level 3 Contributor

So, pretty sure what's happening here is that the current "Baselines" rule for End Users, is setup to ONLY MFA when your login is "At Risk". Microsoft plans to change this at a future date (no ETA last I checked).

 

So, until then, there's a bit of mismatch. You're "Compliant" in that you have the rules "Enabled", but your not ACTUALLY compliant because you are not MFA'ing all requests to the Partner Center dashboard.

 

I was previously in your situation utilizing At Risk policies to enforce MFA through Identity Protection, my CSP contacts told me we were NOT compliant, so I rolled out my own CA rules to Enforce MFA at all times for all apps. Once the compliance report (https://partner.microsoft.com/en-us/pcv/security/compliance) in CSP told me I was 100%

Percentage of requests to Partner Center with MFA
  • Through Partner Center portal:
    100%
  • Through API or SDK:
    100%

My CSP contacts told me I was showing as "Compliant". Curious to know what you're showing as a % in the above report https://partner.microsoft.com/en-us/pcv/security/compliance. Pretty sure until Microsoft changes the End User Baseline Policy to ALWAYS enforce MFA you won't meet 100% compliance.

 

 

chighland
Level 1 Contributor

Thank you for this info!  This must be part of what is going on here.  I looked at the MFA status report and it says:

Percentage of requests to Partner Center with MFA
  • Through Partner Center portal: 7%
  • Through API or SDK: N/A

7% sounds extremely low, but if it's only counting the admins right now who have the mandatory baseline then that might make sense.