- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe to Topic
- Printer Friendly Page
Do we need to enforce MFA for all users that we manage or only our own organization which manages all of our clients?
im confused about the MFA requirements.
the docs say
All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.
what is our "partner tenant" does this mean everyone we sell licenses to or manage, need to have MFA enabled for ALL users? meaning thousands of users need to use MFA
or do we just need to make sure everyone in OUR organization is using MFA and its just our shop of 10 techs for example.
I think I have answered this already in another threads where you posted, but for completeness: No, it does only apply to your own AzureAD tenant you use as Partner, so in your own organization, not the customer tenants you manage and sell licenses to.
See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#are-my-customers-subject-to-the-partner-security-requirements
OK Great, Thank you for the clarification.
I'm also confused. do I need to implement this for ALL accounts in my partner tenants? including service accounts for email notifications?
what about non-admin users.
which accounts require MFA and how can I tell by looking at an account in the portal if its required or not?
All user accounts, regardless if they are using Partner Center or not, also all service accounts and all guest accounts. For every user account that is listed in your AzureAD.
Reasoning for this is because of lateral movement of attacks - any user account not protected is a potential entry for an attacker to gain additional permissions.
You can check on how many accounts are using MFA in Partner Center, you can see the specific accounts in Azure AD Sign-In Logs and via Powershell.