Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
metalogic
Level 1 Contributor
‎01-07-2020 05:59 AM
Level 1 Contributor
‎01-07-2020 05:59 AM

Do we need to enforce MFA for all users that we manage or only our own organization which manages all of our clients?

im confused about the MFA requirements. 

the docs say

All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.

what is our "partner tenant" does this mean everyone we sell licenses to or manage, need to have MFA enabled for ALL users? meaning thousands of users need to use MFA

or do we just need to make sure everyone in OUR organization is using MFA and its just our shop of 10 techs for example.

Labels:
3 REPLIES 3
JanoschUlmer
Microsoft
‎01-09-2020 05:08 AM
Microsoft
‎01-09-2020 05:08 AM

I think I have answered this already in another threads where you posted, but for completeness: No, it does only apply to your own AzureAD tenant you use as Partner, so in your own organization, not the customer tenants you manage and sell licenses to.

See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#are-my-customers-subject-to-the-partner-security-requirements 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
metalogic
Level 1 Contributor
‎01-16-2020 07:45 AM
Level 1 Contributor
In response to JanoschUlmer
‎01-16-2020 07:45 AM

OK Great, Thank you for the clarification.

I'm also confused. do I need to implement this for ALL accounts in my partner tenants? including service accounts for email notifications?

what about non-admin users.

 

which accounts require MFA and how can I tell by looking at an account in the portal if its required or not?

 

Thank you.

0 Kudos
JanoschUlmer
Microsoft
‎01-16-2020 08:00 AM
Microsoft
In response to metalogic
‎01-16-2020 08:00 AM

@metalogic

 

All user accounts, regardless if they are using Partner Center or not, also all service accounts and all guest accounts. For every user account that is listed in your AzureAD.

Reasoning for this is because of lateral movement of attacks - any user account not protected is a potential entry for an attacker to gain additional permissions.

 

You can check on how many accounts are using MFA in Partner Center, you can see the specific accounts in Azure AD Sign-In Logs and via Powershell.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Follow Us
    Share