Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Re: Guest accounts require MFA?

The only accounts that should require MFA are those pictured below.

 

Annotation 2019-08-29 195619.png

Highlighted
Microsoft

Re: Guest accounts require MFA?

Please note that the program guide for the Cloud Solution Provider program does not make any distinction between the various types of accounts (e.g. admin, non-admin, guest, service, etc..). All accounts are required to have MFA enforced. There are multiple reason behind this, and several of those reasons have been discussed through this thread. Given the highly privileged nature of being a partner and the numerous methods credentials can compromised all accounts are subject to these requirements. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 1 Contributor

Re: Guest accounts require MFA?

Thank you for the clarification, Isaiah.

 

If we (a Partner) were to

     a) have all our customers remove any existing delegated administration rights we have, and

     b) never ask for or be granted delegated administration rights by any customer, and

     c) therefore never access customer tenants using our own accounts,

does that remove the requirement to have MFA enabled on our tenant?

Microsoft

Re: Guest accounts require MFA?

I think I have answered this questions also on the Partner Yammer - but for completeness and for others in this forum:

 

It does not change anything, the contractual requirement make no distinction if delegated admin (DAP) is set or not. 

This would also not reduce the overall risk imo - not having DAP right now does not mean an attacker would not find a way that customer would accept a new relationship invite with DAP he received from his trusted business partner.

Also not having DAP at all means that you can not create a support request on behalf of the customer, certainly not an acceptable scenario long term.

 

The only way not to implement MFA is to offboard this tenant from CSP, so not doing any business as CSP or as Advisor with this tenant.