Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Highlighted
Level 2 Contributor

Question regarding MFA compliance

Hello Microsoft Support,

 

  1. What happens the 1st august, can you explain the in dept process that confirm that a partner tenant is in compliance, is it a job that verify the default base line or it check that ALL users if they are MFA enabled?
  2. If the user is MFA enabled and we add MFA trusted IP of our office, would it be considered compliant?
  3. Does disabled admins account (for emergency purposes or rare use occasions) will make us non compliant if they are not MFA enabled?
  4. What about Exchange Online PowerShell module (Hybrid EXO module). Will you fix the Delegated parameter to make the MFA work in delegated access? Right now, the only way to manage another Exchange Online tenant command line parameter is by providing an admin account with a license which is time consuming.
  5. Is there a tool, or a script that you can provide us to confirm that our tenant will be compliant the 1st august?

 

Thank you for your support!

36 REPLIES 36
Highlighted
Level 3 Contributor

Do non-technical users with no roles need to meet MFA requirements in the Partner Portal?

We manage a handful of clients and I personally access the Partner Portal for when adding ourselves to a client’s partner of record. My role is Admin agent. We also have non-technical users with no Roles and permissions yet they still show up as users in the Partner Center. Do these users need to have MFA enabled in order for us to meet the new requirements?

Highlighted
Level 3 Contributor

Re: Question regarding MFA compliance

Word on the street is August 1st is just the "contractual" dealine, there's no word on a deadline nor any technical details about how Microsoft is going to enforce this technically.

 

I have all the same questiosn without answers.

 

Many of us are using "Modern Desktops" with Intune and Azure AD Join, with compliance policies to ensure devices are compliant, and only enforce MFA on non-compliant or untrusted devices.

 

If we can't do location based exclusions, the assumption would be we can't do device complaint, or hybrid-join exclusions either, which essentially puts the user experience back in the stoneage of "Enforced MFA" days.

Always require MFA, at Every Login, No exceptions? Just doesn't sound correct, and I think we'll all have to wait until some more detailed technical requirements are released around how this information is going to be validated.

Highlighted
Level 1 Contributor

Clarification on new CSP MFA security requirements

Hi all,

 

We are a member of the CSP program reselling through a distributor (Ingram Micro).  Myself and my colleagues interpret the new security requirements as:

  • Only we the CSP have to enable MFA on our tenancy, not our customers tenancies.
  • We can use the baseline policies OR we can enable MFA through Azure manually, but that will mean it will be an always on MFA rather than the intelligent 14 day MFA for users.  Both would make it so we comply with the new agreement.
  • The baseline policies only use Microsoft authenticator app, there is not any other MFA options through this method.

Please let me know if I am interpreting this correctly and that we are heading in the right direction.

 

Many thanks,

Tim Earl

 

 

Highlighted
Level 2 Contributor

Re: Clarification on new CSP MFA security requirements

Hello Tim, from what I understood from the "Ongoing Partner Office Hours for Security Requirements" from the 2nd of July, your interpretation is correct. Though the attending MS Consultants advised, that further and more detailed documentation will be provided in the upcomming days. Philipp
Highlighted
Level 2 Contributor

Re: Question regarding MFA compliance

From what I understood from the "Ongoing Partner Office Hours for Security Requirements" call from the 2nd of July they will proof every authentication request towards azure ad if it has included a "MFA Tag/Flag" [they mentioned this in regards to 3rd Party MFA Providers and AD FS deployments. So I assume - though with no confidence - that if you can generate an authentication request that has this "Tag/Flag" included with Device Compliance/saved MFA Token, than this should be workable, but we have to wait for further clarification and documentation.
Highlighted
Microsoft

Re: Question regarding MFA compliance

The update program guide does include the official wording on what is required to be compliant:

https://docs.microsoft.com/en-us/partner-center/csp-documents-and-learning-resources

Of course this is not a detailed technical guide - but these are the offical terms on what to ensure for compliance.

 

It is correct that August 1 marks the date when it is contractually enforced to have MFA in place. The technical enforcement will happen later - and there are no additional details yet available on how a check would be done (stay tuned). Likely it might be by checking the claim in the access tokens/refresh tokens when accessing the services - since there are various option how MFA can be implemented (3rd party MFA also allowed) - so it is not possible to just check if baseline polices are enabled. As said, just a guess to give some examples on how it could be checked technically, not a confirmation that this will be the solution.

 

Making some exceptions for certain locations/IP ranges will not be compliant - considering my example from above there would be no MFA claim in the token of the user then. Personally, I also consider this to be a relatively weak control also.

 

Reg. disabled admin accounts - I'm trying to get some more guidance on this. Generally our recommendations on this are documented here: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access.

Reg. the Partner Center security requirements one option could be to use a different MFA method for the emergency account - but then you can not enable the baseline policies since it targets all users/admins. Currently trying to get answers if Conditional Access with Custom Controls can be considered as option (Most users will enforce Azure MFA, only for the mergency accounts a custom control is used with 3rd party MFA) , will update the thread once I know more. Since you mentioned "disabled" - I guess that you are talking about a disabled account on-premises? Please note that it is important to have an emergency account in the cloud - since when all Admins or synced from local AD and when using ADFS, any issue in local AD would completely lock you out of the cloud.

 

Can not answer Question 4 on Exchange Online. For question 5 - have not heard any plans, for now focus oin fulfilling the contractual requirements as staed in the program guide.

 

@cstelzer : For the specific scenario you mentioned the user experience might not be impacted. Since, when you are AAD joined or Hybrid Joined and you device has a TPM (and/or Windows Hello For Business is used), you might already have the MFA claim in your token (see https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token for details) - because the device registration info prtected by the TPM is technically another factor for MFA. So accessing the services from a Hybrid Joined WIndows 10 machine can technically fulfill the MFA requirements (You can test this yourself by setting conditional access rules that enforce MFA and test logging in with such a device - Azure AD sign IN report might show that no MFA is triggered because of hybrid join). As mentioned above, we need to wait how exactly the technical check on Partner Center security requirements will be done, but there are good chances there is little impact for those scenarios.

 

Highlighted
Level 2 Contributor

Re: Question regarding MFA compliance

Hello Janosch,

 

Thank you for providing the updated version of the contract.

 

No, our tenant is cloud only. The disabled user (Which he is excluded from baseline polices), is used when we need to bypass MFA or emergency purposes. The main reason we still need it is because Skype/teams and Exchange Online (PowerShell EXO Module) does not support MFA via delegated access in PowerShell.

 

Here is an example of usage: Script that get the onboarding date of the Skype Migration of all tenants and report tenants where the skype client will be disactivated in the next 30 days. The only way to see the migration date was to read all message in the Message Center or via PowerShell (But the module does not support MFA). Many customers don't read Microsoft announcements or the message center news and got their skype disactivated without possibility to install the Teams client because they don't have admins rights which cause an unplanned down time. The script without MFA helped us to get the information and reach out our customer the fastest way possible.

Highlighted
Microsoft

Re: Question regarding MFA compliance

In case of emergency, so when no other admin can log on, how do you then enable the disabled user account?

 

The only workaround for this I know is to create a user account in each customer tenant, since I believe for Exchange powershell it will also not work to work with a service principal (Secure app model with app registration in each customer tenant) - but I might be wrong here. What also could work is to deploy an Azure Automation solution in each customer tenant (you can build it and provide it via GitHub to customers) - where the EXO powershell can run with an automation account in customer environment and then it sends the information back to you.

Making an exception for this account is not possible according to program terms - all user (accounts) in the tenant need to be protected by MFA. Baseline policy also dos not allow to make per-user exceptions anymore, but even when doing this with a custom conditional access rule the contractual requirement stand against it. 

 

Btw - The information on planned Teams migration can be seen in Partner Center for all customers - in MPN section in Partner Center, under Analytics there is a "cloud performance" report. On the very bottom of this report you see a table/list of customer tenants where you are delegated admin - and this includes columns showing the planned and actual migration date.

Highlighted
Level 2 Contributor

Re: Question regarding MFA compliance

Regarding the enablement of the disabled account, you are right that if no admins can login, we can't enable it back. All Our active admins are MFA enabled. Most of the time, this is due to a portal or MFA service degradation. If the problem come from the MFA service, we would log back using a conditional access that allow a specific IP to connect with MFA to the an office portal from another country then we enable the user.

 

I also noticed that something is trying to patch baseline policies in our tenant to remove the exception list. 

 

Regarding the Analytics panel, the panel report nothing in our MPN portal. We opened a ticket about that I believe the issue is because we are indirect, causing the panel being unavailable. I will have to follow up with our sales team regarding the current status of the ticket.

 

I will try to attend to the next office hours webinar since I noticed that Microsoft is aware of all these caveats. The next big thing will be to find a way to send emails for other services as SMTP client send with MFA on port 587. I don't think this is currently possible, so we might have to use another mail service for that.

Highlighted
Community Manager

Re: Clarification on new CSP MFA security requirements

Hi @timearl & @Philipp,

 

To keep a single thread on the MFA Requirements side I will move this post here https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/Question-regarding-MFA-compliance/m-p/11160#M99.

You may refer to existing thread for clarifications.

 

Kind regards,

Andra

Highlighted
Level 2 Contributor

Re: Clarification on new CSP MFA security requirements

In the Program Guide for Microsoft Cloud Solution Providers that Janosch Ulmer linked above (https://www.microsoftpartnercommunity.com/t5/Multi-Factor-Authentication-MFA/Question-regarding-MFA-compliance/m-p/11229/highlight/true#M111) Section 1.4 defines "users" as "its agents and, as applicable, Customers" and then goes on to state that "Company must, and must require its Indirect Resellers, as applicable, to, apply and enforce the use of the underlying multi-factor authentication service for all users in their accessing any Microsoft Commercial Cloud portal or any underlying service."

 

This reads to me that if I have a non-user mailbox that is used to process support emails for my company, it does not need to be MFA'd. Now, I would define such an account as a "service account" and yet the communication from Isaiah Williams on Partner Office Hours for Security Requirements: Option 3 - 3:38 was that all Service Accounts need to be MFA'd as well.

 

Am I correct in my interpretation or can you help me understand where the breakdown is?

Highlighted
Moderator

Re: Clarification on new CSP MFA security requirements

Hi @TomR,

 

The requirement for MFA enforcement applies to all user, including service, accounts in your partner tenant. This means each user account, regardless of it's function, will need to have MFA enforced. 

Highlighted
Level 2 Contributor

Re: Clarification on new CSP MFA security requirements

@idwilliams 

 

Your reponse is consistent with your comments in the Office Hours, but my secondary question is still unaddressed: Can you help me understand where the breakdown in communication is?

 

As I mentioned, the program guide has a definition for "users". Is that definition incorrect and needs to be updated by Microsoft? Does "agents" mean something that Microsoft failed to define clearly in the Program Guide?

Highlighted
Visitor 1

Re: Question regarding MFA compliance

Hello all together,

 

yes, there are problems with the Admin policy, but it seems there are some workarounds.

 

What nobody yet mentioned is the second policy:

All our users must be enabled for MFA through this policy, but only "dangerous" tasks will need MFA.

 

But enabling this policy requires, that our users all have mobile devices.

There is a policy in our company, that users are not allowed to use personal smartphones in the office!

Only technicians have smart phones.

 

So how will I use MFA?

 

Thans for replies,

 

Bernd Schneider

Highlighted
Microsoft

Re: Question regarding MFA compliance

Both baseline policies only enable the option to use Microsoft Authenticator app. 

If you enable Azure MFA via your own conditional access policies (Azure AD Premium Plan1 required), then you also got the option to use phone or SMS as verification method.

 

If you use ADFS or another STS solution for authentication, you can integrate 3rd party MFA solutions on-premises with ADFS/STS - and use any method provided by this 3rd party solution.

 

If you use conditional access with custom controls to integrate a 3rd party solution for MFA (Does also require AzureAD Premium Plan1), then you can use any method provided by the 3rd party (Note: I'm still seeking out for official confirmation that custom controls will work to fulfill the security requirements and what technical requirements need to be fulfilled by the 3rd party control)

Highlighted
Level 2 Contributor

Re: Question regarding MFA compliance

"If you use conditional access with custom controls to integrate a 3rd party solution for MFA (Does also require AzureAD Premium Plan1), then you can use any method provided by the 3rd party (Note: I'm still seeking out for official confirmation that custom controls will work to fulfill the security requirements and what technical requirements need to be fulfilled by the 3rd party control)"

 

We want to use Duo via a Conditional Access Custom Control Policy - So very much looking to know if there is an official confirmation to this ASAP.  

 

Else we will need to change the way our organisation uses MFa nd switch all our Administrators and Staff user bass across.

Any news welcome! 🙂

Highlighted
Visitor 1

Re: Question regarding MFA compliance

So the program guide says that ALL USER must have MFA required to logon to all different cloud apps? 


1. We have dedicated service accounts today to do automation account on services that cant be solved with APP based tokens. These accounts CANT have MFA enabled, It will just brake everything. 

2. We need to have a emergency account to be able to get back into our tenant if for instance Azure MFA are down or phone with app is lost for the "last admin" How can we solve that? The emergency account is monitored and alerted by Cloud App Security. 

3. What about Guest users? Do they count? 

Highlighted
Visitor 1

Re: Question regarding MFA compliance

Hi,

 

Could you confirm this scenario please?

 

Program guide for Cloud Solution Provider partners says

"The requirement to enable a multifactor authentication service may be fulfilled by either

(i) Company’s enablement of both the “Baseline policy: Require MFA for admins” and the “Baseline policy: End user protection” in the “Azure Portal”for all users;

(ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example,“Azure Active Directory Premium”); or

(iii) Company’s purchase of a third-party “on-premises” multi-factor authentication service that supports Azure Active Directory federated services"

 

But you wrote previously:

"Making some exceptions for certain locations/IP ranges will not be compliant"

 

Condition 2 tells:

"(ii) Company’s purchase of a Microsoft offer that includes a multi-factor authentication service (for example,“Azure Active Directory Premium”)"

If we enable Azure MFA via your own conditional access policies (Azure AD Premium Plan1 required) - so condition 2, but with excluded users (eg API user) would it be compliant?

 

Thank you

 

(edited to be more clear)

Highlighted
Microsoft

Re: Question regarding MFA compliance

@JankeSkanke 

For 1 - Do you use Azure Automation with an automation account or a service account and automation scripts running somewhere else?

For 2 - As of now, guidance would be to have e.g. conditional Access with Azure MFA for some, and another MFA service for others. This other MFA service can be implemented via ADFS +3rd party MFA integrated in ADFS - and I'm still in process of clarifying if conditional access with custom controls will work.

Also, afaik user can register multiple phones for MFA. 

I have also discussed internally reg. our guidance for emergency accounts - but as of now there is no confirmation that such an account is allowed to be excluded. So unfortunately it will take a few days more until we have more clarity on this.

For 3 - Yes, guest users count - they are managed in another tenant, but still they are users in the tenant. End user baseline policy will also trigger MFA for guests.

Highlighted
Microsoft

Re: Question regarding MFA compliance

No, user exclusion is not allowed. If it is for API access, the recommendation is to adopt the secure app model.

Highlighted
Visitor 1

Re: Question regarding MFA compliance

Good afternoon,

I recently joined the partner program as an indirect reseller partnered with Sherweb.  I have just three paid clients for which I am managing Office 365.

My confusion comes as to whether these security requirements apply to my client's tenant/users or if it is my company's tenant, of which, I am the only user/account.

Highlighted
Level 5 Contributor

Re: Question regarding MFA compliance

These requirements to enable MFA are for your company's tenant that you use to connect to the CSP portals.  It's highly suggested that you encourage your clients to enable MFA, but that is not this requirment.

Highlighted
Visitor 1

Re: Question regarding MFA compliance

We have enabled the end-user policy yesterday and my understanding was that user accounts in the tenant would be enforced for MFA. This was no problem as all users (accounts on our domain) were MFA anyway.

However, since we enabled it yesterday we have noticed that, if we had shared a OneNote with a client, the client (logging in as, for example bob.smith@clientdomain.com) has an entry in our Azure AD of type guest and source External Active Directory. When they tried to access the shared OneNote this morning they were requested to configure MFA as if they were our staff members even though they have MFA enabled for their Azure AD account on their own tenant.

Can you advise if this is expected behaviour?

I can't see how this makes any sense and it has the feel of a bug in the policy implementation as the whole idea behind centralised active directories is that it allows you to assume that the identity has been confirmed by the source AzureAD. Once they have authenticated to their own Azure AD that should be sufficient.

Has anyone else come across this at all and are there any workarounds or fixes.

Many thanks in advance.

Highlighted
Level 1 Contributor

Re: Question regarding MFA compliance

This is by design. Users must configure MFA per tenant (because each tenant may have configured it differently with different methods etc.)

 

Authentication to their own tenant has nothing to do with authentication to your tenant. The guest user in your tenant is the key here.