Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Re: Guest accounts require MFA?

The only accounts that should require MFA are those pictured below.

 

Annotation 2019-08-29 195619.png

Microsoft

Re: Guest accounts require MFA?

Please note that the program guide for the Cloud Solution Provider program does not make any distinction between the various types of accounts (e.g. admin, non-admin, guest, service, etc..). All accounts are required to have MFA enforced. There are multiple reason behind this, and several of those reasons have been discussed through this thread. Given the highly privileged nature of being a partner and the numerous methods credentials can compromised all accounts are subject to these requirements. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 1 Contributor

Re: Guest accounts require MFA?

Thank you for the clarification, Isaiah.

 

If we (a Partner) were to

     a) have all our customers remove any existing delegated administration rights we have, and

     b) never ask for or be granted delegated administration rights by any customer, and

     c) therefore never access customer tenants using our own accounts,

does that remove the requirement to have MFA enabled on our tenant?

Microsoft

Re: Guest accounts require MFA?

I think I have answered this questions also on the Partner Yammer - but for completeness and for others in this forum:

 

It does not change anything, the contractual requirement make no distinction if delegated admin (DAP) is set or not. 

This would also not reduce the overall risk imo - not having DAP right now does not mean an attacker would not find a way that customer would accept a new relationship invite with DAP he received from his trusted business partner.

Also not having DAP at all means that you can not create a support request on behalf of the customer, certainly not an acceptable scenario long term.

 

The only way not to implement MFA is to offboard this tenant from CSP, so not doing any business as CSP or as Advisor with this tenant.

Level 1 Contributor

Re: Guest accounts require MFA?

We use two CSP tenants to host our web applications in Azure, one Azure subsriptions in first tenant and two subscriptions in second. I have admin account in one tenant, which is also enrolled as guest admin in second tenant. After enabling baseline polices to require MFA for admins in both tenants my experience as a developer is completely pathetic.

 

When using Visual Studio, Azure Storage Explorer, Azure Artifacts, Powershell and other tools I have to login up to 3 times to access all Azure subscriptions in out tenants.

 

For example, I am deploying ARM template using Visual Studio 2017.

 

Before enabling baseline policy:

 

1) Click add account in Deploy to resource group dialog

2) Enter admin login

3) Enter admin password

4) Enter code from MFA from main tenant of the admin account

5) Deploy to any of the 3 Azure subscriptions

 

 

After enabling baseline policy:

1) Click add account in Deploy to resource group dialog

2) Enter admin login

3) Enter admin password

4) Enter code from MFA from main tenant of the admin account

5) Enter admin login

6) Enter admin password

7) Enter code from MFA from guest tenant of the admin account

8) Enter admin login

9) Enter admin password

10) Enter code from MFA from guest tenant of the admin account

11) Deploy to any of the 3 Azure subscriptions

 

What makes things worse that there is no indication what tenant I am logging in right now on the login screen (see attached image). Each tenant has different MFA and you need to guess which one to use. After trial and error I have figured out that at first it requires main tenant credentials, than guest tenant two times (for each subscription in tenant I suppose).

 

Another issue is that for some reason Visual Studio forgets account much sooner now, and I have to go through this painful process at least every week. For Azure Storage Explorer it fails to remember credentials at all,  I have to login 3 times after each restart of the application.

Microsoft

Re: Guest accounts require MFA?

Why do you use to seperate tenants? As a Direct CSP you can also use the Azure Partner Shared Services which also allows to provision multiple subscription in the same tenant. 

And while it is certainly adviseable to enable MFA for admin roles everywhere possible, MFA is only mandatory in the tenant you as CSP partner are using for Partner Center & end customer management, not in all tenants you as company own and where your services are running.

 

Using e.g. Azure Partner Shared Services  this would automatically allow you to use your Partner delegated admin credentials and no need to work with guest accounts - which solves certain issues you are seeing. 

 

When you are adding your account as guest to a tenant which also requires MFA, there will be always multiple MFA prompts. One time for authenticating in your home tenant, when accessing the other tenant MFA will be again required for the guest account - and since this other tenant can not use the MFA registration info from your home tenant it is a completely seperated MFA process. If you would work with delegated admin credentials, there would be only one prompt when authenticating in your home tenant - when accessing the 2nd tenant no additional MFA prompt would be triggered.

 

Finally you could also choose to use the push notification in your token app instead of entering the code - this way you don't have to guess which of the accounts is used.

 

Level 1 Contributor

Re: Guest accounts require MFA?

Thank you for your replay, it makes sense.

 

We ought to use sepparate tenants because they are from different countries and purchased from different top level CSP partners by two sepparate companies.

 

We decided to remove guest admin account and use sepparate accounts in each tenant. This way all development tools work as expected.

Visitor 1

Re: Guest accounts require MFA?

Hi,

 

we are using our accounts in our tenant with delegated admin rights for our customers.

for this I clearly accept that we have to use MFA.

We use the accounts name@contoso.com for this.

 

But... as we have several more licenses than users in the company, we also have our relatives as users in this tenant. Their users are like mom@myfamily.com, dad@hisfamily.com, son@... you get the idea. These are simple user accounts for using a mailbox, outlook, word and the like, they have no admin rights whatsoever and are not involved in our business at all.
Do they also have to use MFA? 

Level 1 Contributor

Re: Guest accounts require MFA?

As I understand it, yes. EVERY user in the 'parnter admin' tenant requires the use of MFA, regardless of their actual access rights.

For example, we use a number of service mailboxes (admin@, support@) - all of these now require MFA enabled even though they're just shared mailboxes with no as admin rights whatsoever.
Microsoft

Re: Guest accounts require MFA?

@Rohling As stated before, every user account. Because an attack can & will spread lateral, so an affected non-admin user will be a venue for an attacker to gain more permissions - e.g. attacker sends internal phishing emails from one of those compromised internal accounts to other users in this tenant etc...

Clearly stated in the FAQs: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#what-are-the-key-actions-i-need-to-take-to-meet-the-requirements 

 

In my opinion having non-business user in a tenant that is used for business purposes - like the mentioned relatives - is a clear no-go. Not just because of MFA requirements, it is just good business & recommended security practice.  And since those non-business users would need to get their own licenses anyway (usage of internal use rights licenses from Partner Agreement is not allowed for non-employees -  you can check the MPN agreement on this yourself), building a seperate tenant from them would be the recommended option.

Visitor 2

Re: Guest accounts require MFA?

I was suprised to learn months ago that also non-admin users are required to enable MFA. But I understand and accept the security risk explained in this thread.

For guests I cannot follow that security risk. Is the risk that I send critical informations or credentials or MFA tokens to a guest and the guest is not the guest but an hacker/intruder? Why the hell should I anyway do this to a regular guest? 

Finally Office 365 is with teams a perfect colaboration tool and coworkers understand and accept to be onboarded as a guest. It works and it prooves to our customers that Office 365 is a great tool. Now we are forced to go one step back. 

My practical experience:

  • Baseline Policy is deprecated, ignore them.
  • Enable modern authentication for the tenant with power shell (do this without MFA) otherwise Outlook will not work any more.  
  • We started to enforce MFA by enabling Security Defaults in Azure AD (Properties). I did a test with my own guest account and at least the process to enable MFA for a non tenant (a plain microsoft user) guest works fine, they are treated however by the Authenticator as a business user which is clearly stated in the instructions. 

But lets see if I will be alone in my next teams meeting with my business partners.

 

My wish and my questions: 

1) I have to try: Can you please do one step after the other and do not enforce guests to use MFA for the time being (maybe in one year MFA is much more accepted?)? Enforce a guest policies instead which will avoid or adress the guest risks whatever that might be (RED BIG LETTERS when a guest writes in a team channel?)

2) Can you give instructions of how to divorce our tenant from the partner world to continue our business and setup another tenant for the partner world with one dummy license do maintain the customers.

 

Level 1 Contributor

Re: Guest accounts require MFA?

hold on. im not clear.

do we have to enable MFA for all user accounts for OUR CLIENTS? meaning every company we work with has to enable mfa for all users.

OR

do we have to enable MFA on for all users in OUR partner admin account that has access to all the clients.

 

Microsoft

Re: Guest accounts require MFA?

I can understand the feedback about guest users, I had the same discussion internally - however, guest users now can get some access to Partner Center and generally they may be a venue for an attacker to get information (--> social attacks) or to "infiltrate" a tenant (e.g. phishing email from "trusted" guest).  So the decision was made not to allow any exclusions.

 

Reg. your ask:

 - Well, those decisions were made several layers above me, so I have little influence on this. However, it is currently not planned to enforce MFA for guest users, unless they access Partner Center. This does not mean they are excluded from the policy - it just means that if you don't enable MFA for guest users there will not be technical problems in the forseeable future. Still the Partner agreements demad this and it is recommended. See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-mandating-mfa

 - Splitting tenants: This is difficult, two options:

1. Move CSP Business to new tenant - create new tenant, do the enrollment as CSP again for this new tenant, reinvite all customers, then - if you are Direct CSP - reprovision all licenses for existing customers. Finally contact support and ask to offboard the old tenant from CSP. Final result will be that old tenant is used for production and MPN Management in Partner Center, and the other tenant is for CSP management. Dummy licenses are not required, a tenant can be created for free. For Indirect Resellers this is more easy since the licenses do not need to be replaced for all customers.

2. Move production to new tenant - create new tenant, talk to a 3rd party about how to move data & configuration between tenants. Migration between tenants is not really documented by Microsoft, nor does Microsoft deliver any tools for doing this. Depending on how you use the cloud services this might be a lot of work.

I personally recommend Option 1, if any. But it really depends.

Highlighted
Microsoft

Re: Guest accounts require MFA?

No, all user accounts in the tenant you use as Partner for CSP business, not mandatory in end customer tenants.

See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#are-my-customers-subject-to-the-partner-security-requirements

 

Are my customers subject to the partner security requirements?

No, it is not required that you enforce MFA for each user in your customer's Azure AD tenants. However, it is recommended that you work with each customer to determine how best to protect their users.

Visitor 1

Re: Guest accounts require MFA?

I have to ask, why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?

 

We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account.

 

For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad).

 

We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organisation their Azure AD account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices.

 

We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random @gmail.com user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?

Microsoft

Re: Guest accounts require MFA?

I think this is good suggestion, unfortunately I do not know of any plans to do that (and you are correct that technically this might be possible). 

Just checked on uervoice, for a similar idea only two votes are added: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37590304-b2b-scenario-the-b2b-guest-user-should-use-the-m

So please vote! :-)

 

I can understand your concern reg. the additional admin effort on having two tenants, I don't agree though that it would lower security. For an on-/offboarding scenario there should be a good, formal process set up anyway that covers all the aspects - from account deletion in all separate systems to removing physical access and device/data deletion & retention, it would be easy to add the deletion of the other account in this process as additional step. And in AzureAD there are also some service integrated to help with the access reviews that can make this easier, and Automation can be used to automate deletion in multiple environments. 

 

The main concern I personally have with a single tenant - think about an admin that should only care about internal production, e.g. somebody that has permissions to change group membership in the tenant. This admin could elevate his permissions to become admin in all customer tenants when he puts himself in the Admin Agents group. Might not apply to your scenario, but this is the reason I'm thining of mostly when talking about this.

Visitor 1

Re: Guest accounts require MFA?

We've been working with two tenants for some time and have been told by our PDM and distribution partner that we need to consolidate down to a single tenant so that we can properly take advantage of incentives and back-end rebates. Are you saying that we should stick with two tenants and that we can still get all of the other back-end pieces correctly?

Microsoft

Re: Guest accounts require MFA?

@hughc70 : I do not see why having two tenants would prevent you from receiving incentives and rebates.

Only if you would have to distinct MPN organizations in two tenants, this might become a problem - maybe the contacts you have spoken with refer to this?

 

Two tenants in regards to this discussion means, that you have one tenant where Partner Center is used for MPN management. There you create a location in the MPN organizational structure, the 2nd tenant which you use for CSP is linked to the MPN org via this location ID. This way all CSP revenue is reported back to your MPN org, and in the incentive management in the "MPN tenant" you will see that you can manage incentives for respective location also. 

So it is still one MPN organization.

 

Global Partners that have CSP business in different regions need to have such a setup, and they can also get rebates and incentives.

Level 1 Contributor

Re: Guest accounts require MFA?

We are considering splitting our tenant because of these requirements and honestly the confusion about what is and is not required (if you look you will find documentation edited as late as 11/11/19 stating only accounts that access the customer portal are required to have MFA.)

 

I would really like to do option 1 but i've got about 300 customers on our account. What i'm not sure of is how do I know if we are a direct or indirect reseller? If we sell through Synnex for example is that indirect? Also if we select option one does that affect/change our partner ID and partner of record ID? (does the POR even matter anymore for CSP? Seems it was mostly used for customer self pay for the kickback). 

 

Right now is the ideal time for us to make this decision because we have very few production resources in O365 but are literally in the middle of prepping to move all our email to 365 and to start using teams. If option 2 proves to be more feasible/easier I would rather do it now than after all my users are migrated. OTOH I would rather keep the current tenant as our production tenant since any decent other variations of our name for production use are gone and a decent one still exists for that side of the business.

 

I don't like having to split the tenant but management won't approve of the MFA for all especially when it affects customers/prospects. It unfortunately means its a separate thing to manage and we have to be vigilant about manually disabling a second set of accounts since we can't tie it to our AD and disable via SSO like we currently do. MFA won't help here since most of our techs have to use their personal devices for MFA as it is.

Microsoft

Re: Guest accounts require MFA?

@CM42 

the confusion about what is and is not required (if you look you will find documentation edited as late as 11/11/19 stating only accounts that access the customer portal are required to have MFA.)

There is a difference between what is required from an agreement perspective (all account need to have MFA) and what is technically enforced (Delegated customer management since Nov. 11, Partner Center access in H1 2020...). So even though it is technically not enforced for every scenario this does not change the overall requirements.

 

If we sell through Synnex for example is that indirect? 

Yes, that is indirect.

 

Also if we select option one does that affect/change our partner ID

A new, additional Partner ID will be created when going for Option 1 (Split of CSP to a new tenant), I can not tell if Synnex would need to update their records though since the MPN ID for the organization would stay the same. 

I have summarized steps for Option 1 here: https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/Requirements-clarification-please/m-p/15516/highlight/true#M734

 

and partner of record ID? (does the POR even matter anymore for CSP? Seems it was mostly used for customer self pay for the kickback). 

If you have CSP relationships with all of your customers, POR does not matter. You are correct that is used for customer which buy via other channels. If in Partner Center you see customers with a relation type of "Advisor", those are the ones which are using Partner of Record. When you split of the CSP business to a new tenant, you should also update existiong POR to the new Partner ID you create when going through this process, otherwise those customer will still be shown as managed customers in the old tenant, and thus the MFA requirements would still apply.

 

 

Overall, in your scenario I would recommend going for option 2, because of the work when migrating 300 customer relationships to a new tenant. The .onmicrosoft.com domain name is invisible most of the times for the users, only in the Sharepoint & OneDrive URL this can be seen - maybe you find some suitable naming convention/tenant name for this. 

Level 1 Contributor

Re: Guest accounts require MFA?

Well we also have a whole bunch of licenses in that tenant that we are using in production that i'm not sure we can get moved? They are a mix of licenses we earn as a partner and ones we bought from our vendor (also under CSP) and a Azure VM we use for dev. I've spoken to the managed services managers and they seem ok with reassigning all 300 accounts if its as simple as sending out a blanket delegation request and then following up with those that have not accepted after a few days. One question that did come up and I believe the answer is yes is can a customer have delegated admin access under 2 different tenants? Once we are done with adding them under the new tenant does asking Microsoft to remove the old tenant from CSP disconnect all of those customers? Also I think you said we can still manage the partner relationship from the original (I guess parent?) account? I'm pretty sure this is happening just which way is the best is the question now. There are some certification (nist, etc) reasons behind it now also.

Microsoft

Re: Guest accounts require MFA?

Partner Internal use right licenses can not be moved to another tenant, you can activate a new token  you get  during next renewal in a different tenant though.

CSP licenses can be reassigned (actually those are provisioned again in the new tenant and suspended/cancelled in the old one by the CSP partner that sold them).

Azure subscription can also be moved to a different tenant, though the Azure VM itself probably has no dependency on the tenant anyway. 

 

Yes, customer can have reseller relationships and delegated access with multiple Partner tenants. Reseller relationship and delegated access are two different things - you can send the CSP invite with or without delegated access, the customer can remove delegated access permissions without impacting the reseller relationship.

 

Once we are done with adding them under the new tenant does asking Microsoft to remove the old tenant from CSP disconnect all of those customers?

If you are indirect you should discuss this with the CSP provider you are working with - usually they can update their records and map the sold licenses to the new CSP account/Partner ID, then you can remove the reseller relationship on your end: https://docs.microsoft.com/en-us/partner-center/remove-a-relationship 

If you are direct, you can remove the reseller relationship after you have suspended all the licenses in the old CSP account.

 

Also I think you said we can still manage the partner relationship from the original (I guess parent?) account?

As long as you did not remove the reseller relationship, yes. There is no "parent" CSP account though - when you split out the CSP to a new tenant there is just an old CSP enrollment and a new CSP enrollment, both are even. Only in this scenario you likely have Partner Center for MPN management still in the old tenant, so from an MPN org perspective the old tenant is the MPN "parent" and the new CSP tenant is  linked to a location ID in the MPN org structure. 

 

 

Level 1 Contributor

Re: Guest accounts require MFA?

Thanks this information has been very helpful. It would be nice if my Microsoft Partner team/reps would reach out ocassionally like they used to years ago. I'm not even sure who they are anymore and who I can address additional questions to.

Microsoft

Re: Guest accounts require MFA?

Only a few Patners have dedicated account teams, I guess only around ~1%. So if you haven't been contacted, it might be just due to the fact there is nobody assigned.

 

As Partner with Action Pack, Silver or Gold level you can raise a technical advisory request via askpts@microsoft.com to get technical guidance, also on CSP topics.

For any programmatic question on MPN and CSP, the Partner Center Dashboard includes a support option.

 

For Partners that have Premier (aka Unified support) or ASfP support, there is dedicated services/technical account manager.