How to enforce MFA for CSP delegated admin logging directly in to a customer tenant?
I recently found out that you can log in to a customer tenant with your CSP admin user directly without going through the partner center. For Azure portal for instance, you can simply go to "portal.azure.com/<customer>.onmicrosoft.com". Only problem is that there is currently no way to enforce MFA for delegated admins. Even though MFA is enforced on the admin user on the CSP tenant, and the customer tenant has enabled the preview conditional access rule that requires MFA for any admin role, MFA does not kick in in this scenario. There is no way to enforce MFA on delegated admins, because they don't show up as a user object, nor a user group in the customer tenant.
A hack I've applied for now is using Conditional Access, include all users in the scope, and exclude a dynamic user group containing all users in the tenant (user.userType -ne null), and require MFA for all cloud apps. This requires Azure AD premium P1 on the customer tenant though, something most of our customers do not.
If anyone gets the UN and PW to any of our CSP admin accunts, they essentially have access to 100+ tenants without MFA, as global admin at Azure AD level, and owner of all subscriptions they buy through us.
Am I missing something, or is this a major security flaw? Any other ways to mitigate this, that will also work for tenants without Azure AD Premium P1 or P2 licenses?
How did you enable MFA for the Partner Center user? E.g. when you set up MFA for this user, did you enforce MFA for the user for all types of logins or did you use conditional access to trigger MFA for specific apps?
There is a new policy type for CA in Preview that allows to trigger MFA for all guest users, interestingly this will also trigger MFA for the Partner Center user with DAP (similar to your hack) - even from description it should only apply to B2b guests.
You are right that one can not simply assume that every customer has Azure AD Premium Plan 1 to set up conditional access, it is also true that for most customer it might make sense to talk about this to secure all of their admin roles and users better.