Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Microsoft

Re: Partner Center / CSP with Conditional Acccess

@khuizer @sdicecca :

If you want to split tenants, I would rather suggest to consider a move of the production workload to a new tenant.

 

There was, until now and to my my knowledge, not a clear recommendation to have seperate tenants. Only from overall security perspective it was always true that it is a best practice to have strict seperation of permissions. So I needed to split tenants if I wanted to avoid giving the global admin that is only managing my internal production environment permissions to manage also all of my customers -  this is one of the examples why Partners I have talked to wanted to have a seperate tenant for CSP. 

 

Moving the CSP part to a new tenant would require to register again as CSP, established the reseller relationship again with each end customer - and exchanging all licenses (cancel/suspend from current CSP tenant, provision new ones from new tenant). Would only do this if the number of customers is very low.

Also, I'm not sure that moving CSP to a new tenant will even resolve the technical issues with MFA enforcement - because the old tenant will still be flagged internally as CSP tenant (This flag can currently not be removed). Have asked internally for clarification on this aspect, depends a lot on how exactly the technical enforcement will work at a later date.

 

 

Level 3 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer your comment around "An exception to not require MFA for trusted devices will not be compliant as per the requirements documented in program guide.".

 

How is a "Trusted Device" considered an "Exception"? During business hours Microsoft explained "What is MFA"

 

Require two or more authentication methods

 Something you know (Password)

 Something you have (Device)

 Something you are (Biometrics)

 

Seems to me based on your very definition of MFA should meet requirements with things like Windows Hello for Business (Device/Biometric), or Hybrid-Azure AD Joined (Device/Password).

 

When you technically look to validate / enforce these, I assume that the Azure AD Team is going to look at the "MFA Result" field in the Authentication Logs, and I can indeed tell you that using Windows Hello for Business / Azure AD Join, or even "Passwordless Sign On" (Device/Biometrics) from my mobile device does indeed report under the sign in logs in Azure AD under "MFA Info" as MFA requirement satisfied by claim in the token.

 

Seems to me like adding an additional layer of my phone, on top of my already present MFA  (Device / Biometrics) is going WAY overboard in satisfying the requirements. I think there's a disconnect between what you're asking for, and how your going to technically validate this. In reality I would of hoped that the technical validation piece would of been thought through FIRST with the Azure AD Team, so you can make customers aware of the diffrent ways to acomplish the objectives.

 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

You are correct that by definition a device can be one option for 2nd factor.

 

I was referring to making a general exception in the conditional access rule - e.g. requiring a device to be compliant/managed or within a certain network boundary and then not enforcing MFA for those devices. 

This is what is not allowed. 

 

You are also correct that Windows 10 Hybrid joined/AAD joined devices with a TPM and/or devices using Windows Hello already contain the MFA claim, and so the user might not see the MFA prompt for a 2nd factor when he uses such a device. However, here the CA rule still says "require MFA", only the user experience will be as if no MFA was enforced.

 

As an example - Consider you do not enforce MFA for hybrid Joined devices in your own CA rule. Hybrid Joined devices with a TPM might still have the MFA claim and technically this would work and fulfill the requirements - but CA does not check if the device has TPM and thus a MFA claim in the token. So this rule would not block devices that have no MFA claim from accessing/authenticating - e.g. devices without a working TPM. So enforcing MFA for all is the correct option - on those devices that have a TPM you will still not experience a prompt for a 2nd (3rd) factor (if you use Edge or Chrome with addin).  

 

Visitor 1

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer :
We would like to adopt the secure application model for all automation scenarios. However, Microsoft Dynamics 365 Business Central only supports username/password authentication. Furthermore, the on-premise Microsoft Dynamics CRM email router does not support anything other than username/password authentication to retrieve email from exchange online. How are we supposed to keep using these Microsoft products?

Influencer

Conditional Access - in compliance or not?

Hi All (and @idwilliams) - can I get some clarity on Conditional Access?  I've seen references in the forums that it is supported and that it is not.  I know IP Whitelisting is not in compliance (and makes sense) and that MFA must be enabled on all users in the tenant.  But what conditional access?  Specifically, if the device is Hybrid Azure AD joined?  Would that be in compliance or not?

Microsoft

Re: Conditional Access - in compliance or not?

Hi @sreedwilson

 

We have recently updated our documentation, you can find an answer to this question here. Also, I would like to add the answer here for quick reference 

 

Yes, you can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner we need to ensure that each user has an MFA challenge for every single authentication. This means you will not be able to leverage a feature of conditional access that circumvent the requirement for MFA. 


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Influencer

Re: Conditional Access - in compliance or not?

Thank you.  While I am 100% in agreement with the need to make sure that partners are taking appropriate steps to secure tenants, I also hope that over time the Partner Center user model will be engineered to support more granular security controls and this could, perhaps, be revisited.

 

Specifically, users in our tenant who don't have access to customer data, guest accounts, and similar should be allowed to bypass MFA using CA.

 

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmerIt has been more than 2 weeks since we have implemnted this and so far what has been described as what these policies affect is not quite true. I can still login to Azure and Azure AD with user credentials if I use PowerShell modules Az and AzureAD. Nothing forces me to enable MFA. It seems this somehow affects logins trough portals like Azure Portal. And even there the force is not so required as it gives you message to skip for 14 days. I haven't tried clicking on that button to see if after 14 days for sure it will force me to setup MFA but definately these policies are unknown how they work exactly. Is there actually anyone inside Microsoft who knows exactly how the policies work and what is the scope of the effect? Additionaly I have checked with another AAD and that AAD has the same policies but there there is exception configuration for user accounts. Seems that the default policies were intentionally modified to CSP parnter tenants to remove those exclusions. This is nowhere documented. It might sound that I am going on rant but it is important to understand that this was executed by Microsoft without any prepration or thought for partners.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@stan 

The end user protection baseline policy will currently enforce MFA only after 14 days - and also currently only when a specific risk was detected (see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-end-users). Specific for the CSP scenario expect that the baseline policy will evolve and for logins from users in a CSP tenant MFA will always be triggered.

 

So this is why you currently will not see immediate effects when you enable the end user baseline policy.

 

The option to set an exception was removed end of June. Existing tenants that already worked with the baseline policies might still see the option to exclude users, newer ones do not. This was a general change, this is not specific to CSP tenants.

 

Level 2 Contributor

Re: Partner Center / CSP with Conditional Acccess

All that information was not available when I asked about it the first time. In fact I have got different information which was not true thus put me in the wrong direction. Even the policy description does not answer all questions. About the exceptions options I have checked those on a tenant that hasn't enabled those policies so I am not sure how that existing tenant that didn't used them still had the option. If at least the documentation was correct to say: hey we are updating those policies to remove the exclusion so for some of you they might not be present. My main point again is that this was very badly executed by Microsoft and unfortunately is it not the only bad decision for partners lately.

Level 5 Contributor

Re: Conditional Access - in compliance or not?

I agree with @sreedwilson.  These policies should be enforced for users with access to CSP features, rather than everyone in the tenant.  We're still very concerned about impacts to the Sales process by requiring MFA for guest accounts.  I think very important features would be to have granular control of which CSP customers an end user has access to and being able to limit the access to just what they need.  Requiring full admin access to create support cases is overreaching.

 

Also, I would think Hybrid Azure AD joined would meet MFA requirements.  It's both something you know (Username and Password), and something you have (a trusted computer).

Influencer

Re: Conditional Access - in compliance or not?

Previously it was posted that the TPM rmay meet the requirements. We haven't had a chance to test yet as we've been focused on updating code and scripts. I'm hopeful that will meet the requirements.

If you test it please let us know. I will do the same.
Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmerhaving two (or more) tenants may make sense for this requirement but from a practical level how would you do this since we did not build this from start? All current connections to Microsoft (MPN status, partner of record, sales and more) are with our current tenant. To seperate out our CSP business from this would be quite a task. We are a small partner organization and not direct CSP. (I think the term is indirect reseller or someting). 
So how do we do this? Separate out all CSP administrators is quite simple as you stated but the rest?  What will happen to Internal Use licenses? Our MPN membership satus? Competencies? How is all this connected? Is there any guidance published?

 

/Mats

Microsoft

Re: Conditional Access - in compliance or not?

@sreedwilson : See here for details on how devices with a TPM might already have the MFA claim: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim

To be clear - it is not sufficient to just have Windows 10 devices with TPM and above mentioned configuration, still MFA has to be enabled for the user. The only benefit is that user will not see a MFA prompt when using this device - and if he uses Edge or Chrome )With MS account add-in).

You can see in AzureAD sign-In logs if access attempts from such machines are exempted from MFA because they alreay contain the correct PRT.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@matgus My general recommendation would be to move the internal production use to a separate tenant, not move the CSP business. "Recommendation" is maybe the wrong word - since both options are not easy.

 

When you move the CSP business to a new tenant, this requires to establish reseller relationship again with every customer, I expect issues with incentives/consumption reporting etc. As indirect reseller at least you would not have to face the issue to provision the same licenses again to all customers (They stay linked to the indirect provider).

 

When you move the production business to a new tenant, the issue is that migrating data between tenants requires 3rd party solutions (and exact process depends on many factors - e.g. if you have local AD connected, what kind of services you use..) - the benefit is however that the impact on customer and any MPN processes is zero. Also you then have the option to obtain licenses via CSP channel for production (Which is blocked when tenant is tagged as CSP tenant - this tag can not be removed currently).

 

Reg. MPN - actually you have to differentiate between MPN in Partner Center and CSP in Partner Center - these do not have be on the same tenant/same Partner Center access. 

E.g. you can migrate production to a new tenant - and leave MPN management where it is - so a single Partner Center account is still used for both CSP and MPN management. 

Moving the MPN management to different tenant needs to be done by logging a support request in Partner Center support (and does take several weeks).

 

Unfortunately internal use licenses can not be moved to a new tenant. They can be activated in a different tenant, but if they are already acvtivated, they need to stay where they are.

 

Competencies rely on employee certifications & reported revenue/consumption - so if MPN is kept where it currently is there is no impact. If you move MPN to a different tenant, user need to link their MS learn accounts again.

However, it would be a better experience for employees if MPN management is done in the tenant they use for production - because then they do not need additional credentials to update their certification status. So the best design - for me - is TenantA (existing): Used only for CSP / TenantB (new): Production & Management.

 

Afaik there is no guidance available that explains all of these aspects end-to-end - would also appreciate if something like this exists. Unfortunately in my current role I do not have resources or freedom to invest the required time to create such guidance (yet Smiley Wink).

 

 

 

 

Visitor 1

Re: Partner Center / CSP with Conditional Acccess

Hello

 

We have enabled MFA for users, everything was working fine before that but after enabling MFA Partner Center Api does not work and giving me this error

 

'Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access'

 

Then i read and go through this link https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model right now i am having an issue with step 2 of 'Secure Application Model framework' which is 

'Get authorization code' 

i cannot get the authorization code as it is in the link 1.jpg

 

 

instead i get this error after following all the steps in above link

2.jpg

 

 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@rhussain : "localhost" is just an example in this script. You need to use the URL where your web app endpoint is available. If it is deployed on your local machine you might to check firewall configuration.

Level 3 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer JanoschUlmer

So, was there ever an update / change to the End User Baseline Policy to ALWAYS enforce MFA as opposed to "At Risk", i'm being told i'm not in compliance now, based on only MFA "At Risk". Was a change to the baseline rule made? We are not utilizing the Baseline, rather MFA Registration / Identity Protection policies for All User (MFA Low+ Risk).

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@cstelzer : No, not yet. When you are usig your own risk based policies which will also not trigger MFA every time it is no surprise that you are not deemed to be compliant - since there are probably still users accessing the tenant without doing MFA.

The report - which was probably sent to you by your account team - will afaik currently check if either authentication was done with MFA or check if baseline policies where enabled. The report is also work in progress, so I have seen false negatives. So if you see in e.g. the AzureAD sign-in reports that every user is in fact doing MFA, and the report says otherwise be sure to give feedback to the account team.

There will also be an improved report available as self-service soon - documentation is already done, because of last minute issues the report will take a few days more to be visible in Partner Center: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance 

 

 

 

Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

Question about PIM. We have configured all our users to use PIM when they need to perform any action, yet they have a permanent assignment. in case we switch them to 'Eligable', meaning they will have a 'regular' user on their day 2 day but can be promoted to a power user using PIM, will they be considered as regular user for the purpose of those security requiremtns or admins?

Microsoft

Re: Partner Center / CSP with Conditional Acccess

If I do understand the question correctly this should not really matter since the security requirements apply to all user accounts in the tenant, not just those which have admin roles. 

Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess


@JanoschUlmer wrote:

If I do understand the question correctly this should not really matter since the security requirements apply to all user accounts in the tenant, not just those which have admin roles. 


yeah but users with admin rights get special conditions:

"...Once MFA registration is complete, administrators will need to perform MFA every time they sign-in."

 

End users get a different policy:

"...Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts..."

 

so lets say all my users are 'normal users' (End users), but have the right to elevate to a more powerfull role (such as Global admin), how will they be treated by those policies? is that compliant with the requirement?

 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

Once those users get an admin role assigned, the baseline policy "Require MFA for admins" would apply automatically to them. 

Note that the end user protection baseline policies apply to both "normal" users and admins - so for admin access the controls of both policies would apply (though the user would not recognize this, he just gets the MFA prompt).

 

If those two baseline policies are enabled it will be compliant. 

 

Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

Hi, @JanoschUlmer, has the self-service MFA report already been made available in Partner Center, as I am still not able to find it there? If not, what is its ETA?

 

TIA,

 

Marcel Domingus

Highlighted
Microsoft

Re: Partner Center / CSP with Conditional Acccess

It is already available, at least in all tenants I have access to. The report is in the settings area - there you should find "Security Compliance" - direct link: https://partner.microsoft.com/en-us/pcv/security/compliance

 

Don't know if the report is also displayed for Partner Center accounts that are not subject  to the MFA requirements (e.g. when only MPN Management is done in this tenant ad not CSP), I guess it is not - if in doubt send me the tenant name (via private message) and I can check for you.