CSP Security best practices

Appropriate roles: Global Admin | Admin Agent | Helpdesk Agent

All partners in the Cloud Solution Provider (CSP) program accessing Partner Center and Partner Center APIs should follow the security guidance in this article to protect themselves and customers. Partners will need to implement this guidance immediately to mitigate security issues and help remediate security escalations.

For more information, see NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

Customer security best practices

If you're a downstream customer

  • Customers should frequently review subscriptions and resources or services that may have been provisioned unexpectedly.

  • Ensure customers are following password management policies and strong authentication with frequent password rotation.

  • Have your customers use Passwordless sign-in with the Microsoft Authenticator app

  • Review and verify all global admin users password recovery email and phone number within Azure AD and update if necessary.

  • Review, audit, and minimize access privileges and delegated permissions. It's important to consider and implement a least-privilege approach. Microsoft recommends prioritizing a thorough review and audit of partner relationships to minimize any unnecessary permissions between your organization and upstream providers. Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or haven't yet been audited.

  • Review, harden, and monitor all tenant administrator accounts: All organizations should thoroughly review all tenant admin users, including those associated with Administer On Behalf Of (AOBO) in Azure subscriptions, and verify the authenticity of the users and activity. We strongly encourage the use of strong authentication for all tenant administrators, review of devices registered for use with MFA, and minimize the use of standing high-privilege access. Continue to reinspect all active tenant admin users accounts, and check audit logs regularly to verify that high-privilege user access isn't granted or delegated to admin users who don't require these privileges to do their job.

  • Review service provider permissions access from B2B and local accounts: In addition to using delegated administrative privilege capabilities, some cloud service providers use business-to-business (B2B) accounts or local administrator accounts in customer tenants. We recommend that you identify whether your cloud service providers use these, and if so, ensure those accounts are well governed, and have least-privilege access in your tenant. Microsoft recommends against the use of “shared” administrator accounts. Review the detailed guidance on how to review permissions for B2B accounts.

  • Verify that multifactor authentication (MFA) is enabled, and enforce conditional access policies. MFA is the best baseline security hygiene method to protect against threats. Follow the detailed guidance on setting up multi-factor authentication in Microsoft 365, and the guidance on deploying and configuring conditional access policies in Azure Active Directory (Azure AD).

  • Review audit logs and configurations.

  • Review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the Microsoft Purview compliance portal (formerly in the Exchange Admin Center). We recently added the capability to see sign-ins by partners who have delegated admin permissions. You can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter Cross-tenant access type: Service provider on the User-sign ins (non-interactive) tab.

    Shows the sign-in log screen.

  • Review Existing Log Availability and Retention Strategies: Investigating activities conducted by malicious actors places a large emphasis on having adequate log-retention procedures for cloud-based resources, including Office 365. Various subscription levels have individualized log availability and retention policies, which are important to understand before forming an incident response procedure.

We encourage all organizations to become familiar with logs made available within your subscription and to routinely evaluate them for adequacy and anomalies. For organizations relying on a third-party organization, work with them to understand their logging strategy for all administrative actions, and establish a process should logs need to be made available during an incident.