Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

Hi, @JanoschUlmer , thanks for the tip! I have managed to find the report in PC.

 

I noticed that compliance of "Through Partner Center portal" is listed at 78% whereas I am certain that all our Partner Center user have MFA enforced. Can it be that technical failures / glitches when authenticating to Partner Center (for instance the Authenticator App crashes when you press the push notification, forcing you to request a subsequent code text message upon which authentication finally ddoes succeed, a frequent occurence for our users) will count towards non-compliance?

Microsoft

Re: Partner Center / CSP with Conditional Acccess

I do not expect unsuccessful attempts to enter the 2nd factor change the report - but the report will incorporate data from the last 7 days, so it dsepends on when all user were enabled for MFA.

 

You can use the AzureAD sign-in logs to check which users did not go through MFA (at least one AAD Premium P1 license required in the tenant to see these logs)

Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

Hi, @JanoschUlmer, actually I am looking at the sign-in report and was wondering if Status codes like Interrupted and Failure would count towards non-compliance (see report snippet below). 

 

Also, the diagnostic scope of the Compliance Status Report appears to be limited to the actual use of the Partner Center portal and CSP API's, whereas my impression was that compliance is dependent on MFA enforcement of all tenant users, even the ones that do not actually use Partner Center?

 

StatusSign-in error codeFailure reasonClient appDevice IDBrowserOperating SystemCompliantManagedJoin TypeMFA resultMFA auth methodMFA auth detailConditional access

Success  Browser Edge 79.0.287Windows 10   MFA requirement satisfied by claim in the token   
Success  Browserb9cc9b3f-184d-49d4-9c7e-037025f52a1eEdge 18.1776Windows 10  Azure AD registeredMFA requirement satisfied by claim in the token   
Success  Browser Edge 79.0.287Windows 10   MFA requirement satisfied by claim in the token   
Interrupted50140This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.Browser Edge 79.0.287Windows 10   MFA completed in Azure ADText message'+XX XXXXXXXX51 
Success  Browser Edge 79.0.287Windows 10   MFA requirement satisfied by claim in the token   
Success  Browser Chrome 77.0.3865Windows 10   MFA requirement satisfied by claim in the token   
Success  Browser Chrome 77.0.3865Windows 10   MFA requirement satisfied by claim in the token   
Success  Browsera092e74e-bc02-4273-a217-3ecd23eeff29Edge 18.1836Windows 10TRUETRUEAzure AD registeredMFA requirement satisfied by claim in the token   
Success  Browser Chrome 77.0.3865Windows 8.1   MFA requirement satisfied by claim in the token   
Failure50089Flow token expired - Authentication Failed. Have user try signing-in again with username -password.Browser Edge 79.0.287Windows 10      Not Applied
Success  Browser Chrome 77.0.3865Windows 8.1   MFA requirement satisfied by claim in the token   
Success  Browserb446fddb-039f-4c9e-a8a5-f4870ed41c5aEdge 17.1713Windows 10  Azure AD registeredMFA requirement satisfied by claim in the token   
Level 3 Contributor

Re: Partner Center / CSP with Conditional Acccess

@JanoschUlmer can we not retrieve a copy of the data behind the MFA Compliance report in Partner Center?

 

Multi-factor authentication ("MFA") compliance
Percentage of requests to Partner Center with MFA
  • Through Partner Center portal:   x%
  • Through API or SDK:                    x%

 

We keep being told to "Look at AAD Sign-in logs", which as we all know is full of noise and incredibly difficult to correlate compliance from.

 

Seems to me if Microsoft should just provide us with the data behind the ACTUAL report that's determining whether or not we're compliant, so we could better understand the issues. I for one have a single CA rule All Users, All Apps, Require MFA, that's it, and I still see wild swings in compliance data for "Through Partner Center Portal" for some reason (100% to 85% back to 97%).

 

Also, I don't believe any of the API/SDK data is even available in the Azure AD Sign-in's report to validate, where is that data surfaced from so we can review?


Also, any word on updates to the End User Baseline Rules? Here many of us are ACTUALLY enforcing MFA for all authentications (with our own CA Rules) and are fighting with accurate "Compliance", meanwhile many others are using the Baseline rules and ONLY enforcing MFA during At Risk and are sitting happyily being "Compliant" simply for having the rules turned on.
Microsoft

Re: Partner Center / CSP with Conditional Acccess

@cstelzer & @MarcelDomingus : I'm currently checking for more information on that, this might take some time. Afaik failed access does not count; raw data  for the report is not available; I do not have a timeline reg. potential changes in the end user protection policy - so currently I have no answers.

Highlighted
Microsoft

Re: Partner Center / CSP with Conditional Acccess

For a more detailed report on which user acccounts did not use MFA I was just made aware that a suitable Powershell script was already published here: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#assessing-your-environment

This will remove some of the "noise" of the full azure ad sign in logs and will make it easier to identify where not-compliant access did happen from users.

 

For identifying how to identify which API access was not compliant - as it seems there is really no other way then to look at each refresh token which is used, decode it and check for the claims. Issue is  that it might happen that secure app model was used, but if the user then was not doing MFA, the refresh tokens will not incorporate the MFA claim.

 

Still waiting for answers on the other questions.

Level 1 Contributor

Re: Partner Center / CSP with Conditional Acccess

If 'Require MFA for admins' Conditional Access Policy is enabled, and if the admins device is Hybrid AD Joined since the device has PRT it won't prompt for MFA. Can we enforce MFA only for admin users even if they are Hybrid AD Joined.

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@hari_kumar : No, you can not force admin go through MFA again if the device already fulfills the MFA requirements by the claim in the token. You can configure Windows Hello with multi-factor unlock though, to force user to enter an additional method when logging in to Windows. Other solution would be to force user to use a browser that does not support this scenario - e.g. Firefox, Opera, Safari - but this does not make a lot of sense imo.

 

The question is why?

Microsoft

Re: Partner Center / CSP with Conditional Acccess

@cstelzer & @MarcelDomingus

Sorry for not replying  for a long time.

 

Some updates - the powershell script to assess if logins happened via MFA was replaced by a new feature in an updated powershell module: https://docs.microsoft.com/en-us/powershell/module/partnercenter/get-partnerusersigninactivity?view=partnercenterps-2.0 

Documentation was also updated on this.

 

The Compliance report in Partner Center, as far as I was able to confirm:

 - Does not count failed MFA as not-compliant access

 - Does only count access to Partner Center (while it is still true that MFA needs to be enabled for all users & all services in the tenant - so Compliance report might show 100% while there is still non compliant access happening to other services).

 - Documentation was updated explaining some more scenarios where the compliance report does not show the real compliance - e.g. when using Custom Controls in conditional access it can not be detected: https://docs.microsoft.com/en-us/partner-center/partner-security-compliance

 - It is not possible to get the raw data from the report.

 

Access to API will not be visible in the sign-in reports, the only potential option to identify why API access is not showing 100% is to analyze each token to check if it incorporates the MFA claim. I have seen multiple cases where Partner have implemented Secure App model, but compliance was not 100% because they did forget to enable MFA when doing the app registration and getting the authorization token - and thus the app is seamingly registered correctly, but without MFA claim.

 

The end user baseline policy will indeed be updated to enforce MFA for all users in a CSP tenant - until this will be done this is another driver why the report will not show 100%, when in fact you are compliant because you enabled this policy. (Sorry, would appreciate a more logical explanation myself, but it is how it is). 

While there is no ETA for this change of behaviour yet, it was already announced that baseline policies will soon change into this: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

 

 

Visitor 1

Re: Partner Center / CSP with Conditional Acccess

Hello every one,

I would like to ask you is there anyone here have implemented MFA for MPN.  Provide steps to implement the same.

I have gone through your discussion threads... but could find not much information as expected.  

I have searched a couple of documents in docs.microsoft.com ... the initial part is fine like enabling   Require for (admins) and End-user protection which is available in Conditional access policy, after enabling by choosing ok it gets saved. 

I need to know further steps involved in it. I would request someone please do reply to this request.

 

 

 

 

Microsoft

Re: Partner Center / CSP with Conditional Acccess

The documentation is all summarized here:

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements

Additional info: Baseline policies will become AAD security defaults soon- functionality does not change though: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-security-defaults

 

Checking compliance:

https://docs.microsoft.com/en-us/partner-center/partner-security-compliance

 

FAQs:

https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

What other specific questions do you have on this? What is not answered in the documentation. Generally, after enabling the baseline policies it is generally only a matter of regularly monitoring the compliance status and educating users how to do the MFA registration