Cloud Solution Provider security contact

Appropriate roles: Global admin

Overview

Greater privacy safeguards and security are among our top priorities. We know that the best defense is prevention and that we are only as strong as our weakest link. That is why we need everyone in our ecosystem to act and ensure appropriate security protections are in place.

When any security related issue happens on a Cloud Solution Provider (CSP) partner tenant, Microsoft should be able to communicate the issue and recommend appropriate steps to a designated security contact in a partner organization who will act with urgency to mitigate and remediate security concerns as soon as possible.

Global admins or other roles within Partner Center do not have the necessary expertise or reach to act on important security related incidents. All partners should update the security contact for their partner tenant.

The security contact is either an individual or a group of people that are accountable for security related issues within the partner organization.

Impacted partners

All direct bill partners, indirect providers, and indirect resellers should provide a security contact.

Add a security contact for your CSP partner tenant

You must be the global admin for your company to complete this task. These updates cannot be done through the Partner Center APIs.

Use the following steps to update your security contact for your tenant through Partner Center.

  1. Sign in to the Partner Center dashboard.
  2. Select the Settings gear icon, then Account Settings, then select My profile.
  3. Select Legal Info in the Organization Profile section.
  4. In the security contact section select Update.
  5. Update the fields in the Security contact section and select Update.

Note

If the security contact is an organization or group within your company, update that organization or group name in both the Security contact First Name and Security contact Middle Name fields.

Screenshot showing the Partner Center add contact interface.

This will update the security contact for your tenant. Non-global administrators may view the legal profile page and see the security contact details, but they would not be able to update it.

Important

When you update any of the data fields in the Legal business profile or Primary Contact sections, your account may be required to go through account verification. If you update one or more data fields only in the Security contact, account verification is not required.

Role of security contact

The security contact will receive email notifications from Microsoft if there is a security incident impacting the CSP partner tenant or customer tenants that have granted reseller relationship and/or administrative relationship rights to the partner. The email will contain clear instructions on what specific actions are needed. The security contact is expected to take immediate action to prevent potential or increased damage from the security incident.

Security contact attributes

Security contact field Description
First name First name of the individual or group accountable for security related issues within the CSP partner organization
Middle name Middle name of the individual or group accountable for security related issues within the CSP partner organization (optional)
Last name Last name of the individual or group accountable for security related issues within the CSP partner organization
Email Email of the individual or group accountable for security related issues within the CSP partner organization. Microsoft prefers to have a distribution list of group involved in CSP security.
Phone Phone number of the individual or group accountable for security related issues within the CSP partner organization. This should be a phone that's available 24x7.

Frequently asked questions

What is a security contact?

The security contact is either a person or group of people that are accountable for security related issues within the CSP partner organization. Issues include spam, Azure fraud, and credential compromise just to name a few.

Who can update the security contact?

The CSP global administrator can update the security contact fields in the Partner Center legal profile. These updates cannot be done through API. Non-global administrators may view the legal profile page and see the security contact details but they are unable to edit these fields.

What type of communications will the security contact receive?

The security contact will receive email notifications from Microsoft if there is a security incident impacting either the CSP partner tenant or customer tenants that have granted reseller relationship and administrative relationship rights to the partner.

What is the expectation of the security contact?

If there is a security incident and Microsoft notifies the security contact, that email will have clear instructions on what specific actions are needed. The security contact is expected to take immediate action to prevent potential or increased damage from the security incident.

Will the security contact receive Azure fraud email notifications?

No, the security contact will not receive Azure fraud email notifications. It is recommended that the admin agent who is accountable for managing the customer Azure subscription enroll in Azure fraud email notifications. See Azure fraud detection and notification for more details.