Force MFA prompt when entering Partner Center
Is there a way to force an MFA prompt when someone accesses the Partner Center?
I can't seem to see a Partner Center application in CA policy?
This is not possible. However, when somebody accesses any CSP-related area in Partner Center, they would be forced to use MFA, respectively it would be checked if authentication did happen using MFA (So user might not see an additional prompt if MFA was done before, e.g. user logs on from a Windows client device where Hello for Business is used). And Partner Agreement demands that all users in the tenant where Partner Center is used to manage CSP customers are enabled for MFA (regardless if they use Partner Center or not), or AAD security defaults have been turned on.
Bugger, everyone has MFA per the agreement, more was trying to force an additional prompt when accessing the partner centre just due to the access it gives to our client's tenants.
How do you enforce MFA currently? Because if you enforce MFA anyway for AAD sign-in anyway, even when you could set a CA policy for Partner Center the user would not see an extra prompt since the authentication token would already contain the MFA claim.
Ok then, yep that's not going to work but I think I've found another way to get what I need.
I'll need to test it but seen a few people talking about adding yourself to the Admin Agents group via PIM which should satisfy the requirement. (I've been asked to implement an extra prompt by mgmt before our techs can access client data)
I think you might be interested in this announcement about GDAP also: https://docs.microsoft.com/en-us/partner-center/announcements/2021-november#5 - which will drastically change the delegated admin concept.
Also this option: https://partner.microsoft.com/en-US/resources/detail/cybersecurity-with-azure-ad-pdf Which talks about how Partner can get the AAD P2 licenses for free which are required for what you want to enable - Privileged Access Groups.