Do we need to enforce MFA for all users that we manage or only our own organization which manages all of our clients?
im confused about the MFA requirements.
the docs say
All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.
what is our "partner tenant" does this mean everyone we sell licenses to or manage, need to have MFA enabled for ALL users? meaning thousands of users need to use MFA
or do we just need to make sure everyone in OUR organization is using MFA and its just our shop of 10 techs for example.
I think I have answered this already in another threads where you posted, but for completeness: No, it does only apply to your own AzureAD tenant you use as Partner, so in your own organization, not the customer tenants you manage and sell licenses to.
OK Great, Thank you for the clarification.
I'm also confused. do I need to implement this for ALL accounts in my partner tenants? including service accounts for email notifications?
what about non-admin users.
which accounts require MFA and how can I tell by looking at an account in the portal if its required or not?
All user accounts, regardless if they are using Partner Center or not, also all service accounts and all guest accounts. For every user account that is listed in your AzureAD.
Reasoning for this is because of lateral movement of attacks - any user account not protected is a potential entry for an attacker to gain additional permissions.