Partner Security Requirements
For the baseline "End user protection" settings, and requirement to enable MFA for all users including service accounts. Does this include accounts that are are set to No for the "Make this user an admin for partner companies" Role settings?
During a recent Partner Office Hours for Security Requirements call someone mentioned that the option to not require MFA for certain location would not work. Also, the option to remember you for 60-90 would not work. Please elaborate on what areas will require re-auth and which ones will not.
A) Users with admin roles will be required to re-authenticate to O365 every time they access any service such as Teams, Outlook, Partner center, community forums, uservoice, etc.
B) Global Admin users will not be propted to re-authenticate with MFA each time they launch teams, or outlook and other low privilaged areas. However, users will be required to re-authenticate when accessing highly privelaged areas including but not limited to the, o365 admin center, partner center, etc (elaborate).
I enabled the "Baseline policy: Require MFA for admins (Preview)" policy in a personal tenant of mine. After doing so, when I use my regular global admin account I can still "remember this device for 60 days" and when I go into https://aka.ms/mfasetup I still have MFA options other than the MS Authenticator app (office phone, cell phone, txt code). I can also create an App Password. The Test Global Admin I created right before implementing the policy (and never had MFA setup) was prompted to setup MFA the first time I logged in after I enabled the policy. That account still has the "remember this device for 60 days" but when I logged in the first time it required me to use the Microsoft Authenticator app for MFA. Now when I go to https://aka.ms/mfasetup using that account, I see that I can setup the other authentication options (office phone, cell phone, txt code). Something that is missing thought is the ability to setup an App Password. THat coudl be a problem as I still run into some things that require App Passwords (like the native mail client on Android phones). I feel like MSFT needs to give us more time and better documentation about what the policy does.
I haven't tested the "Baseline policy: End user protection (Preview)" policy yet. It actually sounds like in some ways it may be less secure than our current default MFA setup without a policy (all users have to pass MFA unless they've remembered their device for 60 days) since it only prompts for MFA for "Risky" sign-ins. We'll see how that testing goes.
I did a little more testing. I found that if I just depend on the Baseline Policy to require MFA, there's no option to enable an App Password or use other MFA methods. But if I go into the Org MFA setup and enable MFA for a user, the App Password option appears when I go to https://aka.ms/mfasetup and so do options for phone or text MFA. I'm happy about that.
Also, if I just depend on the "Baseline policy: End user protection (Preview)" policy there's no option to remember me for 60 days and it didn't prompt if I logged in recently and logged out again. If I explicitely enable MFA for the user, I can remember me for 60 days and I get a prompt for MFA if I log out, clear my cookies, etc.
It seems like the best experience is to enable the policy so MSFT is happy, but also to manually enable MFA at the user level.
The biggest issue for us will be for service accounts or multifunction printers where MFA just won't work.
Microsoft has said that they will be enforcing their requirements outside of the baseline policies. So, we can't expect the experience from enabling basline policies to match the experience we will have when they start enforcing their own hidden requirements which have yet to released. We were told during the community call on the 27th that more information would be coming soon, to this forum I think?
This'll be a big problem for us if the testing we do now may not reflect the experience in a month when they start enforcing their own rules. This makes it very hard to train and set expectations with our admins and users.
Thanks for sharing your experience on MPC over the new security requirements implementation!
Just want to add here the links to various resources you can refer to, in this process.
- Partner security requirements implementation step-by-step guide
- Office hours with technical experts (starting June 27)
- Partner security requirements resources gallery (including FAQs document and other resources)
Review the original announcement here: https://www.microsoftpartnercommunity.com/t5/Announcements/Important-Announcement-Implement-security-requirements/m-p/10991#M7
Hope this helps,
We recently received a communication from our PSE regarding the office hours sessions that will be held over the coming weeks. In that email blast is a bullet stating:
"Effective July 1, 2019, the terms associated with the new partner security requirements will be added to the current Cloud Solution Provider Program Guide, at which point partners will be contractually obligated to follow the new security practices and standards."
This sounds like we will need to have MFA in place on July 1st, just a few days away. However, I can't imagine that is the case. Would someone please provide some more detail on the timeline for the mandatory implementation of MFA?
If you really are making this mandatory in less than a week's time, please provide more details ahead of the office hours that do not start until another 2 days from now.
On July 1st it will be effective in the contract, not technically enforced immediately.
More details will be published shortly in Partner Center.
This should not come as a surprise though - since the first announcement of the Partner Center security requirements last year it was always said MFA should be enabled asap - and it is anyway a much recommended security option for any global admin.
Technical documenation is already published: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Thank you Janosch for the reply. Your prompt replies & subject matter expertise are always much appreciated.
I do want to address your other comment, not combatively, but in a constructive feedback manner for Microsoft...It does not come as a surprise that MFA would be enforced. What is surprising is the tight deadline. For months, we've been told that it's being worked on & Microsoft was looking to a low or no cost solution for partners. For partners that have been forced to create multiple tenants globally, for Microsoft regional sales rules rather than our own needs, with the same users requiring mulitple logins to manage our business as usual, the licensing costs for MFA were not insignificant. We've been waiting for additional details on what that low/no cost solution would be before acquiring the costly licensing we found on our own.
Additionally, the last formal communication I recall was back in January, stating:
Could not agree more. Though I got it all ready for the first deadline as I expected it to be enforced then... still 6 days notice seems a bit crazy...
There has been an updated based to the date. The contracts will be updated on July 1, 2019 and you will find the contractual enforcement for the new partner security requirements is now August 1, 2019. I would to encourage everyone to immediately start working to implement the appropriate changes. Please let us know if you have any concerns or questions. We will be more than glad to help when and where we can.
The inital tight deadline of Fabruary 4th was communicated through the Partner Center for months, this one arrives by mail from our PSE with only 5 weeks until enforcement with a more strict requirement than before.
Additionally, this happens over summer period in Belgium where most of my team takes their much needed vacation time. This means we don't have all the people available to assess the impact and plan for change, nor is everyone available to train and inform.
Don't get me wrong: I love this change, and I understand why it is needed, but timing and communication could not be worse. I started to expect better from you.
Fortunately there is some good news the contractual enforcement for this change is August 1, 2019 and not July 1, 2019. Thank you for sharing this feedback with us. I share your concerns with the appropriate teams.