Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
CobXTech
Level 3 Contributor

Force MFA prompt when entering Partner Center

Is there a way to force an MFA prompt when someone accesses the Partner Center?

I can't seem to see a Partner Center application in CA policy?

6 REPLIES 6
JanoschUlmer
Microsoft

@CobXTech 

This is not possible. However, when somebody accesses any CSP-related area in Partner Center, they would be forced to use MFA, respectively it would be checked if authentication did happen using MFA (So user might not see an additional prompt if MFA was done before, e.g. user logs on from a Windows client device where Hello for Business is used). And Partner Agreement demands that all users in the tenant where Partner Center is used to manage CSP customers are enabled for MFA (regardless if they use Partner Center or not), or AAD security defaults have been turned on. 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
CobXTech
Level 3 Contributor

Bugger, everyone has MFA per the agreement, more was trying to force an additional prompt when accessing the partner centre just due to the access it gives to our client's tenants. 

JanoschUlmer
Microsoft

How do you enforce MFA currently? Because if you enforce MFA anyway for AAD sign-in anyway, even when you could set a CA policy for Partner Center the user would not see an extra prompt since the authentication token would already contain the MFA claim.

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
CobXTech
Level 3 Contributor

Ok then, yep that's not going to work but I think I've found another way to get what I need.

I'll need to test it but seen a few people talking about adding yourself to the Admin Agents group via PIM which should satisfy the requirement. (I've been asked to implement an extra prompt by mgmt before our techs can access client data)

JanoschUlmer
Microsoft

I think you might be interested in this announcement about GDAP also: https://docs.microsoft.com/en-us/partner-center/announcements/2021-november#5 - which will drastically change the delegated admin concept.

Also this option: https://partner.microsoft.com/en-US/resources/detail/cybersecurity-with-azure-ad-pdf Which talks about how Partner can get the AAD P2 licenses for free which are required for what you want to enable - Privileged Access Groups.

 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team
JanoschUlmer
Microsoft

@CobXTech : And btw - if you want to discuss this directly you can also open an advisory request in our team: https://aka.ms/technicalservices 

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team