Multi-Factor Authentication (MFA)

Hi Many Thanks for your reply.

I am really confused here and till your response I am struggling to get any response that I can understand.

In short I use a distributor to buy my office 365 licences via csp. When I create a new account I get an admin login for that new tenant, I have around 50 of these for separate companies. I have last night for all of these admins accounts manually enforced MFA so that it will txt my mobile and have also generated an application password. So I use these accounts to administer the various tenants, not my own through any delegation. My own 365 has an admin and my account and both have been manually setup to use MFA.

I Have been lead to believe that I should have had a correspondence from Microsoft and or my distributor some weeks ago saying that I should set this for all users via base line policies as far as I can tell and that it should have been completed by August the 1st this year and failure to do could lead to me not being able to still work within CSP. I have been questioning this since last week when I had the email from Microsoft telling me to do it, which arrived after August the 1st.

As you can imagine I am confused and also worries that I may loose my customers as a result of this not being communicated to me in time?

Yes, this has certainly been a rushed process by all accounts, but the potential negative impact of having an account with delegated admin credentials via CSP to a lot of customer tenants is huge, so I understand the urgency. As a direct CSP the first communication I saw regarding the August 1st deadline was sometime in June.

The correspondence you received should only be in regards to your own specific O365 tenant that contains accounts used to authenticate to Partner Center to manage customer licensing and subscriptions, or if you use any 3rd party apps, you're supposed to use the new Secure Application Model from Microsoft.

It sounds like you're doing the right thing from a best practice standpoint of enabling MFA for any dedicated admin accounts you're creating directly in the customers' O365 tenants. We do this as well, because even with delegated permissions via CSP we can't access some things like the Security & Compliance center, so at times we need to use these dedicated accounts.

Beyond that, while I highly recommend it, it's not required for all accounts in every customer tenant to have MFA enforced. This could be done via the baseline policies, or through Conditional Access or explicit enforcement per account, but generally requires some handholding to deal with MFA on older versions of Office, or 3rd party mail apps on mobile devices.

At this point, the August 1st deadline was contractual only. Microsoft has yet to announce a technical enforcement date. Only once that unannounced date passes will you lose access to managing customer licensing/subscriptions via CSP if you aren't "compliant" in Microsoft's eyes. 

Many Thanks again for your detailed reply. I really hope that my distributor agrees with your explanation in the morning when I speak to them. It will make me smile if they do, as I tried to explain almost exactly what you did to them and a microsoft employee in a converance call this morning and they both told me that I had to do this for all users of all accounts that I administered.

I will out of courtesy to you let you know the outcome.

Many thanks once again.