Scope of MFA requirement & Secure application model
In the CSP Program Guide, it states:
"[...] effective as of August 1, 2019, Company must, and must require its Indirect Resellers, as applicable, to, enable a multifactor authentication service in accessing any Microsoft Commercial Cloud portal or any underlying service."
"As used herein, “Microsoft Commercial Cloud portal” refers to each of, but is not limited to, the Portal, the “Azure Portal”, the “Store-For-Business” portal, the “Azure Marketplace” portal, and the “Office Portal”."
It's clear that we need to enable MFA for all accounts in the partner tenant, but is it necessary to scope it to all applications? What exactly is the scope of "any Microsoft Commercial Cloud portal or any underlying service"?
Also, regarding the Secure Application Framework, is this only applicable to applications that interact with the Partner Center API, or also internal tools and applications that only access our own tenant?
The scope for the requirements is bound to the users in your partner tenant. A partner tenant is an Azure AD tenant that is associated with the Advisor program, enrollment into the Cloud Solution Provider program (direct, indirect provider, and indirect reseller), or an enrollment as a Control Panel Vendor. So, what this means is that all user accounts, including service accounts, in your are partner tenant are required to have MFA enforced. This will impact how your users connect to services like Azure, Office 365, Partner Center, etc.
If you have developed a custom solution that interacts with any Microsoft API (e.g. Azure Resource Manager, Microsoft Graph, etc.) or PowerShell module (e.g. AzureRM, Az, MS Online, etc.) using user credntials, then those will be impacted. They are impacted because the user account you use to connect is now required to authenticate using MFA. So, if the automation or integration is intended to run non-interactively then you will need to adopt the secure application model.