Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA


Service principals as exception for MFA/end user protection requirements

Greetings dear community,
I have some issues with a partner concerning the enabling of the necessary admin MFA/ EUP policies:
The distributor has a marketplace account that authenticates via Tokens (which, according to the partner, had to be done that way as by the MFA-Guidelines of the Partner Center). Now he is of the opinion that enabling 'end user protection' would override the token-based authentication and thus affecting the functionality of the marketplace. Instead, he has created a custom policy covering all users but the marketplace-account. Will this fulfill the requirements? How should I proceed here?
Thank you sincerely in advance for your answers!
Kind regards,
Level 1 Contributor

As I understand it: Excluding accounts will not be in compliance with the Partner Security Requirements. They have to be 'Included' in a policy that has the MFA control enabled.


I hope that we can exclude certain Apps though


@MartinJ - app only authentication is not impacted by the partner security requirements. So, they only used a client identifier and secret key to request an access token then they can safely enable the baseline policies. @assofohdz is correct that they will not be able to exlcude users. If they have a policy that does this today, then they need to look into modifying it to comply with the requirements.