Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Partner Center / CSP with Conditional Acccess

Hi

 

We havily use and love conditional Access - especially to restrict access to critical apps.

However with we miss an Option to enforce MFA when User signs into Partner Center since (There is no dedicated app available when modelling Conditonal access policies).

Will this ever be supported? Meanwhile the only option we are left is to use dedicated identities for signing into partner center and enforce MFA to those identities....

60 REPLIES 60
Microsoft

Re: Partner Center / CSP with Conditional Acccess

Hi @Pirmin

 

Perviously the security requirements where scoped to just Partner Center. There has been a change to the requirements that will require each user in the partner tenant to have MFA enforced when accessing Microsoft commerical cloud services. You can find more information about these changes at https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

 

Note the MCRA will be updated with these requirements on July 1, 2019 and they will be enforced starting on August 1, 2019. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

Hi Isaiah

 

Thanks for clearing that. To comply with new requiremts we need to have enabled

- Require MFA for admins 

- End user protection (which forces every user/guest to register for MFA and requires MFA if risky sign-in is detected)

 

correct?

Pirmin

Visitor 1

Re: Partner Center / CSP with Conditional Acccess

Hi @idwilliams ,

 

The statement is that MFA must be enabled for all users. Because of the limitation of the baseline rules and that they are still in preview, we created custom CA rules which do exactly the same thing. Also we use identity protection instead of the end user baseline. Also because of the preview part and lag of functionality. 

 

The other part that is we need to have an emergency account (https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access). Because we depend on Azure MFA we need another method (CA rule with for example user/location exeption). Otherwise we are unable to manage our environment when MFA has an outage. 

 

Are we compliant?

 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

Hi @jvoermanjr,

 

As long as you are requiring each user to sign-in using MFA when accessing any Microsoft commerical cloud service you should be good. With the introduction of the new requirements each user, regardless of what role they have assigned, will need to authenticate using MFA. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Microsoft

Re: Partner Center / CSP with Conditional Acccess

Hi @Pirmin

 

Yes, enabling those baseline policies will make you complaint with these new security requirements. The baseline policies will continue to evolve over time. So, I would like to encourage you to review the baseline policies documentation from time to time.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@idwilliamsCan you clarify how this enforcment will be done exactly? Previously you would enforce using the Partner Center API and Portal to login with MFA but since now this scope is expanded will that enforcment be done on other APIs and portals? Do you also plan to enable automatically (without ability to disable them) those policies that are in your documentation for all tenants or on all CSPs? If the scope is expanded that means we now have to accomdate to a larger amount of changes that we have to do. I also would like to complain that this was very badly planned - changing dates and plans several times and out of the sudden with very short period notifying us.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

Hi @stan,

 

Right now there is a contractual enforcement of August 1, 2019 that requires each user in a partner to have MFA enforced. This can be accomplished through a number of different ways, including enabling two Azure AD baseline protection policies.  You are correct the scope of these requirements has expaned to sign-in attempts to any Microsoft commerical cloud services for users in a partner tenant. Thank you for providing the feedback, I will be sure that the appropriate teams receive it.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Visitor 1

Re: Partner Center / CSP with Conditional Acccess

Since the Partner Center is pulling in all the AD accounts, how can we limit which accounts are synced to Partner Center? For example, we have several service accounts that got synced to Partner Center and can't have MFA enabled.

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@idwilliams  Some follow up questions:

- In the offical guide for enabling these policies, the user policy have option for exception but when I checked them today in our AAD that exception is missing? Why? What is happening here? Sounds like this was not planned very well if the documentation is not correct?

- What is behind Microsoft commercial cloud services? I am preatty sure that most people will not know the exact scope if you do not explicelty which services/portals/apis are behind that?

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@amattb:

 Partner Center is not "pulling" the AzureAD accounts, Partner Center is based on the AzureAD account information on the tenant, so you can not restrict any sync. 

 

Basically the recommendation would be to have one AzureAD tenant only for CSP business where all have MFA, and a separate tenant for all other use, like internal productionm. From a local AD you can deploy the sync tool (Azure AD Connect) two times on seperate machines and use filtering to decide which user accounts are synced to which AzureAD tenant, of course you can only use a custom domain in one AzureAD tenant at the same time. The recommendation is not only because & since the announced MFA security requirements, but generally a best practice for strict seperation of permissions (e.g. Global Admin of your own production environment should not get access to end customer environments).

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@stan :

From contract/agreement perspective setting an exception is not allowed. The baseline policies are technically still a preview feature, so it might be that screenshots shown in the documentation and actual experience might differ a bit (And documentation then needs to be updated - so thank you for the feedback). The baseline policies are basically a simplied version of Conditional Access rules, for any additional customization needed you can technically also use Conditional access.

 

Reg. the 2nd question: Basically anything that is using the CSP tenant's AzureAD - Office 365, Dynamics 365, Intune, AIP, GraphAPI

 

 

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmerThanks! Let me ask more explicit question as it is important for us. Does the policy will affect login to those services via automation tools like APIs, PowerShell, CLI?

Highlighted
Level 3 Contributor

Re: Partner Center / CSP with Conditional Acccess

So, example to explain please.

 

When baseline does not have exception for special accounts like meeting rooms and so which does not access Partner Center (does not have role assigned here) but they are configured to sign-in to tablet showing the meeting entry info. We do not enable baseline, but use Conditional Access there limit them to local IP, but not enforce MFA. Normal users are configured with MFA or using MDM compliant device (Intune with MDATP policies).

 

What happens, please?

 

  • Will Partner Center work normally?
  • Even when user does not do MFA because he is on compliant device?
  • Will only this user cannot access portal or all of them?
  • Will be company compliant with requirements?
Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer  Let me give  a little more information. Today I have enabled the policies in Sandbox Azure AD. When I login with user account to Azure Portal (so it affects Azure portal) I am asked to enable MFA now or in 14 days at latest. So obviously this affects Azure Portal as well. When I tried to login with that account to Azure and Azure AD via PowerShell I have done it successfully without any issue but the problem is what will happen when those 14 days expire and I am force to enable MFA. Will I be able to login to Azure and Azure AD via PowerShell without having to enable MFA for that acount and using refresh tokens? Scope of these policies is something that I have not found documenation nor I haven't found information how they will affect APIs, PowerShell and CLI.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@stan :

Yes, this is why it is also required to adopt the Secure application model for automation scenarios: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#aadsts50076

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@stan:

To the 2nd question - yes, Azure Portal is of course also affected (since it used AzureAD or authentication). It will also affect access via Powershell, CLI, API if user credentials are used.

 

The login will only work if you use either MFA (interactive login - so not suitable for automation) or an access  token/Secure app model instead of user credentials. 

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer  This is not good at all. I would call this execution plan fiasco as there are a lot of things that were not considered when someone has decided to execute this, let alone allows us with enough time to prepare.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@WolfKPCS : Generally you need to enable MFA for all access to all commercial cloud services in this tenant - regardless if the user account used has  a role in Partner Center or not.

So e.g. using CA rule to not trigger MFA on a compliant device will not be compliant to requirements in CSP Partner agreement  - so question is if does really matter if it still might work in some scenarios.

 

Visitor 1

Re: Partner Center / CSP with Conditional Acccess

If we enable MFA with conditional access (eg MFA is asked only if you are using a non trusted device) this configuration will be compliant with this new requirements?

Is There a test portal/URL where we can test our current MFA configuration with conditional access, just to check if our current setup will meet the future requiremtns of CSP portal?

 

Best regards

Alessandro

Level 3 Contributor

Re: Partner Center / CSP with Conditional Acccess

@idwilliams 


Still a little confused at how the below policy is going to meet the CSP requirement of "Enforce MFA"?

 

End user protectionEnd user protection is a risk-based MFA baseline policy that protects all users in a directory. Enabling this policy requires all users to register for MFA using the Authenticator App. Users can ignore the MFA registration prompt for 14 days, after which they will be blocked from signing in until they register for MFA. Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until their password is reset and risk events have been dismissed.

 

If my sign in is not "At Risk", i'm not going to be enforced to MFA, so how is CSP going to validate this? If you're looking at the submitted claim for MFA, this won't always have it if the sign in is not "At Risk".

 

Azure Admin roles baseline I get, but again if i'm not in an Azure Admin role, and my sign in isn't at risk when logging into CSP, I technically won't have MFA enforced.

Visitor 2

Re: Partner Center / CSP with Conditional Acccess


@JanoschUlmer wrote:

Basically the recommendation would be to have one AzureAD tenant only for CSP business where all have MFA, and a separate tenant for all other use, like internal productionm. From a local AD you can deploy the sync tool (Azure AD Connect) two times on seperate machines and use filtering to decide which user accounts are synced to which AzureAD tenant, of course you can only use a custom domain in one AzureAD tenant at the same time. The recommendation is not only because & since the announced MFA security requirements, but generally a best practice for strict seperation of permissions (e.g. Global Admin of your own production environment should not get access to end customer environments).


We currently use 1 tenant for internal production and CSP. Is there a way to switch the CSP part to a new tenant? 

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

Just like @khuizer. We are also looking for an answer for this.

That would make everything a lot easier. I can't find anywhere that Microsoft ever said that to have one tenant for production and one for CSP is best practice.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@cstelzer : Stay tuned for updates on this in the coming weeks.

You are correct that - currently - MFA will not be enforced for every sign-in using the end user baseline policy. 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@Bellax 

An exception to not require MFA for trusted devices will not be compliant as per the requirements documented in program guide.

Currently there is no way to test if the current implementation will technically be compliant - if you use custom conditional access policies to enforce MFA for every user and every service you will in effect use the same methods as with the baseline policies - so I see no reason why it won't be compliant. We will try to share details on what is required on the technical side of things once this information is ready, right now the focus should be to fulfill the contractual requirements as stated in program guide.