FY19: CSP program new mandatory security requirements
This is an important update related to CSP program security requirements for partners.
Cybersecurity is the central challenge of our digital age. Microsoft is committed to providing a trusted set of cloud services and platforms. We invest heavily in our technology, people and processes to help ensure that customers’ as well as partners’ data is private and protected from unauthorized access, both internally and externally.
We have noticed an increasing number of security breaches and fraud incidents in the industry. As our Cloud Solution Provider (CSP) program ecosystem grows, we are taking action to extend our secure application model and best practices to our partner ecosystem.
Today (November 5, 2018), we are announcing new mandatory security requirements that help protect our partners in the CSP program ecosystem and customers from potential security risks caused by unauthorized access to CSP capabilities in the partner center. These requirements will be communicated to partners via announcement in the partner center, CSP Yammer groups and to-partner email.
- Control panel vendors who integrate their solutions with APIs in the partner center
- Partners transacting in the CSP program using CSP capabilities or APIs in the partner center (Indirect providers, direct bill partners and CSP indirect resellers)
The new security requirements include:
1. Enabling a new secure application model to integrate with APIs in the partner center
- All control panel vendors and partners in the CSP program who integrate their solutions with APIs in the partner center need to enable the new secure application model
- Implementation due date: December 11, 2018
- Requirement enforcement date begins February 4, 2019
2. Adopting and enabling Multi-Factor Authentication (MFA) to access CSP capabilities or APIs in the partner center
- All partners in the CSP program and control panel vendors who access CSP capabilities or APIs in the partner center are required to adopt MFA to further safeguard through a second form of authentication.
- Partners can choose any MFA solution that is compatible with Azure Active Directory (AAD).
- Enforcement date for adopting MFA begins February 4, 2019
Starting February 4, 2019, partners who don’t meet these security requirements will not be able to transact through the CSP capabilities or APIs in the partner center.
Field calls to action
- Start communicating these new security requirements with your partners immediately and reinforce the importance of security posture.
- Visit this OCP Partner Programs Digest page for additional information and key resources.
- Please refer to frequently asked questions document (partner-facing) for any questions.
- Attend Field Office Hours this Thursday, November 8. Please forward the attached invites to your team and peers.
- Frequently asked questions document
- Partner center security guidance Yammer group: https://aka.ms/MSPCSecurityGuidance
- Technical documents
Note: A control panel vendor (CPV) is an independent software vendor who provides the partners in the CSP program with applications, tools or platforms integrated with Partner Center APIs. Typically, a control panel vendor is not a partner in the CSP program with direct access to CSP capabilities in the partner center APIs.