Forced MFA for "All Users" in partner tenant... but not all users? Service Accounts?
I am very confused about the verbiage that is used around the required MFA for CSPs.
In one instance (on this post), there is "Partners are required to enforce multi-factor authentication for all user accounts in their partner tenant. The terms associated with the partner security requirements have been added to the Microsoft Partner Agreement. As it relates to Advisors, the same contractual requirements will be in place."
But then, three paragraphs above on the same page says :
- All partners in the Cloud Solution Provider program
- Direct bill
- Indirect provider
- Indirect reseller
- All Control Panel Vendors
- All Advisors"
Can someone PLEASE explain what exactly is needed? We are many other things than just an MSP, and I have users that have never checked their emails. Do these users need MFA enabled too, or just the people that interact with the partner center?
Service accounts are the same question, do they have to be MFA enabled? Here it says (under Issue #3) " Answer: No. Since these user accounts are not using Partner Delegated Administration Privileges to manage customer resources, they will not be required to sign in to customer tenant. They will not be affected by Azure AD requiring MFA verification during sign-in to customer tenant."
But that breaks the "All Users" requirement?
Please help me better understand this situation.
As per contract (Microsoft partner Agreement) all user accounts in the tenant where the Partner is acting as CSP need to be protected with MFA.
So in the overview of those requirements it is stated:
- All enabled users including guest users
So all user accounts in your tenant need to do MFA whenever they are authenticating via AzureAD - for accessing any service where AzureAD is used as authentication (Teams, Sharepoint Online, Exchange Online etc.). It does not matter if those users actually use Partner Center.
The other article you mentioned - where technical enforcement is described - explains how users are affected by the technical enforcement, and indeed the technical enforcement will only happen for access to Partner Center, PC API or end customers.
This does not mean that when there is no technical enforcement, users do not need to be protected by MFA. The "Issue #3" you mentioned on the same page talks about requesting a technical exception and this can only be done when there is an account that is affected by the technical enforcement (other wise it would not make sense to request for technical exception of the enforcement).
But even when the account is not affected by technical enforcement, still the contract (MPA) requires this account to be configured for MFA.
In other words - while technically having MFA on a user account that is not using Partner Center will not be checked, you still need to do this.