CSP - Partner Security Requirements
we are currently reviewing the security requirements for a Cloud Solution Provider (CSP) as we are planning to switch from Security Defaults to Conditional Access.
The general terms and conditions in the partner agreement are:
- Enable multi-factor authentication (MFA) for all user accounts in your partner tenant.
- You must enforce MFA on all user accounts in your partner tenant(s).
- Partners are required to enforce MFA for all user accounts in their partner tenant, including guest users.
- No, it is not possible to exclude any user account from the requirement of having multi-factor authentication (MFA) enforced.
To my understanding, you need to fulfill these security requirements even if they are not technically enforced. Microsoft recommends using the Security Defaults to meet the security requirements. But when using the Security Defaults users are challenged for MFA verification only when necessary - for example when accessing from a new location or device. The user for Azure AD Connect and even technical users e. g. Teams Rooms are excluded from being MFA enforced. Legacy Authentication is still enabled and can be used when setting up app passwords. There is no MFA enforced/required for all users for all cloud apps. So, why does using the Security Defaults not violate the security requirements?
It appears to me that risk-based authentication, user exclusions and app passwords are compliant when using the security defaults, but it is not compliant to exclude users when implementing own conditional access policies. Could you confirm that? Can we exclude technical users from Conditional Access policies, as the Security Defaults do?
We have considered to implement the following conditional access policies:
- Require MFA for administrator roles and partner center agent groups for all cloud apps with exclusion for the Azure AD Connect user and emergency access user
- Require MFA for all users for Microsoft Azure Management with exclusion for the Azure AD Connect user and emergency access user
- Block legacy authentication for all users for all cloud apps with exclusion for the Azure AD Connect user and emergency access user
- Require MFA for all users for all cloud apps when on external networks with exclusion for technical users, the Azure AD Connect user and emergency access user
Will those conditional access policies meet the security requirements?