Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Take the survey
Reply
CobXTech
Level 3 Contributor
‎11-02-2021 05:59 PM
Level 3 Contributor
‎11-02-2021 05:59 PM

Force MFA prompt when entering Partner Center

Is there a way to force an MFA prompt when someone accesses the Partner Center?

I can't seem to see a Partner Center application in CA policy?

Labels:
0 Kudos
6 REPLIES 6
JanoschUlmer
Microsoft
‎11-03-2021 12:17 AM
Microsoft
‎11-03-2021 12:17 AM

@CobXTech 

This is not possible. However, when somebody accesses any CSP-related area in Partner Center, they would be forced to use MFA, respectively it would be checked if authentication did happen using MFA (So user might not see an additional prompt if MFA was done before, e.g. user logs on from a Windows client device where Hello for Business is used). And Partner Agreement demands that all users in the tenant where Partner Center is used to manage CSP customers are enabled for MFA (regardless if they use Partner Center or not), or AAD security defaults have been turned on. 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
CobXTech
Level 3 Contributor
‎11-03-2021 12:28 AM
Level 3 Contributor
In response to JanoschUlmer
‎11-03-2021 12:28 AM

Bugger, everyone has MFA per the agreement, more was trying to force an additional prompt when accessing the partner centre just due to the access it gives to our client's tenants. 

0 Kudos
JanoschUlmer
Microsoft
‎11-03-2021 12:54 AM
Microsoft
In response to CobXTech
‎11-03-2021 12:54 AM

How do you enforce MFA currently? Because if you enforce MFA anyway for AAD sign-in anyway, even when you could set a CA policy for Partner Center the user would not see an extra prompt since the authentication token would already contain the MFA claim.

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
CobXTech
Level 3 Contributor
‎11-03-2021 03:59 AM
Level 3 Contributor
In response to JanoschUlmer
‎11-03-2021 03:59 AM

Ok then, yep that's not going to work but I think I've found another way to get what I need.

I'll need to test it but seen a few people talking about adding yourself to the Admin Agents group via PIM which should satisfy the requirement. (I've been asked to implement an extra prompt by mgmt before our techs can access client data)

0 Kudos
JanoschUlmer
Microsoft
‎11-03-2021 06:48 AM
Microsoft
In response to CobXTech
‎11-03-2021 06:48 AM

I think you might be interested in this announcement about GDAP also: https://docs.microsoft.com/en-us/partner-center/announcements/2021-november#5 - which will drastically change the delegated admin concept.

Also this option: https://partner.microsoft.com/en-US/resources/detail/cybersecurity-with-azure-ad-pdf Which talks about how Partner can get the AAD P2 licenses for free which are required for what you want to enable - Privileged Access Groups.

 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
0 Kudos
JanoschUlmer
Microsoft
‎11-03-2021 06:58 AM
Microsoft
In response to JanoschUlmer
‎11-03-2021 06:58 AM

@CobXTech : And btw - if you want to discuss this directly you can also open an advisory request in our team: https://aka.ms/technicalservices 

Kind regards, Janosch (Note: Leaving role as of March 2023, don't expect further answers. Connect with me via LinkedIn: https://linkedin.com/in/janoschulmer)
Follow Us
    Share