Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Reply
Level 1 Contributor

Enabling Secure App Model

We are a consulting company. We don't have any applications in the marketplace.

We have never used the Partner Center API.

We don't develop any applications for sale.

 

We work with our customers and help them leverage Cloud.  All of our work in done on Customer Azure subscriptions.

We have an Azure subscription but it is only used for proof of concepts

We are not CSP or Control Panel partner.

We are a part of "Azure Advisors" so the new security guidelines apply to us.

We have enabled Baseline policy to require MFA for all of our users.

 

I have looked at Secure application Model guide and I am not sure what I have to for us to be in compliance by Aug 1st. 

 

 

1 ACCEPTED SOLUTION
Microsoft

If you don't have any solutions using the API and if you don't do automation/scripting on customer subscriptions via delegated admin credentials CSP Partners have, then secure app model does not apply to you. See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#what-automation-or-integration-do-you-have-that-leverages-user-credentials-for-authentication

 

The notification in Partner Center is static, it will also be displayed when you have implemented MFA for all users.

You do not get a confirmation for completion. On August 1 there will be a contractual requirement to have MFA enabled (via any mentioned method, baseline policies is just one option of many), so for now you just need to check yourself if have fulfilled the requirements as posted in the CSP program guide. Technical enforcement will be done later, and hopefully we have more technical guidance on how to check if the individual implementation is technically working (e.g. simiar to ewhat we already posted here: https://www.microsoftpartnercommunity.com/t5/Blog-Discussions/How-to-validate-your-solution/td-p/8315) 

 

Kind regards,
Janosch

View solution in original post

6 REPLIES 6
Community Manager

Hi @rajcheval ,

 

Thank you for all the details.

As per this resource the Secure App Model is intended for CSPs and CPVs only https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model

 

As an Advisor you should enable following policies.

Require MFA for admins Enabling the Require MFA for admins policy, will require users in the administrator roles to register for MFA using the Authenticator App. Once MFA registration is complete, administrators will need to perform MFA every time they sign-in.
End user protection End user protection is a risk-based MFA baseline policy that protects all users in a directory. Enabling this policy requires all users to register for MFA using the Authenticator App. Users can ignore the MFA registration prompt for 14 days, after which they will be blocked from signing in until they register for MFA. Once registered for MFA, users will be prompted for MFA only during risky sign-in attempts. Compromised user accounts are blocked until their password is reset and risk events have been dismissed.

 

Please review this documentation. https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#self-service-password-reset

 

Hope this helps,

Andra

Visitor 1

Hi @Andra,

We have a similar issue here. We ARE a CSP, but we do not develop nor do we use any of those APIs listed as far as we are aware of. We enabled the MFA (refer to the attached screenshot), but don't know where to start or what to do on the "Secure Application Model framework". We tried to follow all the instructions and read through the FAQs, but couldn't figure out how to accomplish this. Also we see this yellow warning message in our Partner Dashboard (refer to the attached screenshot). Does it mean that we are still missing something to complete this Partner Security Requirement or do we still see this message even though we completed what we're supposed to do? How do we get a confirmation on the completion? Sorry for the many questions, but we'd really appreciate it if you could give very clear guidance on this one because we have got to make sure that we keep our partnership to continue running our business through the partnership.

 

Microsoft

If you don't have any solutions using the API and if you don't do automation/scripting on customer subscriptions via delegated admin credentials CSP Partners have, then secure app model does not apply to you. See also https://docs.microsoft.com/en-us/partner-center/partner-security-requirements#what-automation-or-integration-do-you-have-that-leverages-user-credentials-for-authentication

 

The notification in Partner Center is static, it will also be displayed when you have implemented MFA for all users.

You do not get a confirmation for completion. On August 1 there will be a contractual requirement to have MFA enabled (via any mentioned method, baseline policies is just one option of many), so for now you just need to check yourself if have fulfilled the requirements as posted in the CSP program guide. Technical enforcement will be done later, and hopefully we have more technical guidance on how to check if the individual implementation is technically working (e.g. simiar to ewhat we already posted here: https://www.microsoftpartnercommunity.com/t5/Blog-Discussions/How-to-validate-your-solution/td-p/8315) 

 

Kind regards,
Janosch

View solution in original post

Visitor 1

This is a bit confusing.

 

We're an ISV. We are also a CSP.

 

We make products that use Graph. 

 

However, we don't automate any CSP operations and our products don't interoperate with the CSP world in any way-- this is merely a convenience for our migration-as-a-service customers who don't want to provision their own subscriptions. 

 

Are our products required to use the SAM framework?

Moderator

The requirement is for partners who are involved with the Advisors and CSP programs to enforce MFA for all users in their partner tenant. A partner tenant is an Azure Active Directory tenant that is associated with an enrollment into the Advisors or CSP (direct, indirect provider, and indirect reseller) programs. As a result of enforcing MFA for each user the password flow can no longer be leveraged to obtain access tokens. To address this, we have introduced the Secure Application Model framework to provide guidance for how you can content with the fact MFA will be required for every sign-in attempt. 

 

@quadroPaul what this means for you is that if you are using app + user authentication and the user you are using is associated with a partner tenant, then you will be impacted. So, you will need to implement the Secure Application Model. However, if you are using app only authentication (or you are using app + user authentication and the user account you are using is not associated with a partner tenant) then you are not impacted by the partner security requirement.

Level 1 Contributor

@Andra 

 

Thank you for the helpful links.

 

This link about enabling secure app model

https://docs.microsoft.com/en-us/partner-center/develop/enable-secure-app-model

say that it covers CPV and CSP.

 

We are not CPV or CSP. Should we choose one of these options and enable secure app model?

 

This topic concerns the following actors:

  • CPVs
    • A CPV is an independent software vendor that develops apps for use by CSP partners to integrate with Partner Center APIs.
    • A CPV is not a CSP partner with direct access to the Partner Center dashboard or APIs.
  • CSP indirect providers and CSP direct partners who are using app ID + user authentication and directly integrate with Partner Center APIs.