Security requirements for Partner Center
Appropriate roles: Admin agent
The Security Requirements Dashboard is a powerful tool designed to assist you in assessing and enhancing your current security posture within Partner Center. This feature grants both Direct Bill and indirect providers access to their Security Score. The security requirements provided are actionable recommendations that are generated based on system vulnerabilities and common attack patterns. By implementing these recommendations and regularly checking for updates, you can bolster your security defenses. This dashboard consolidates the status of all security requirements into a single comprehensive score, enabling you to quickly gauge your current security situation. The higher the score, the lower the identified risk level, giving you a clear understanding of your security readiness.
Manage your security posture
The Security Requirements Dashboard provides you with a complete overview of your security posture. You can monitor and adjust your security settings, policies and procedures by routing from this dashboard. The Security Requirements Dashboard empowers you to proactively manage and enhance your security posture and drive toward the Zero Trust Principles.
Key features
Overview
The Security score shows a snapshot of your security status within Partner Center.
The Security requirements (overview) shows the total number of security requirements, including totals for those that are completed and not completed.
Security requirements section
In the Security requirements section, you'll find a curated list of security requirements and recommendations. These requirements and recommendations can help you identify areas of improvement in security health, address concerns, mitigate risk, and enhance your overall security posture.
Description of security requirements:
Security requirement: Brief description of requirement.
Description: Detailed explanation of the security requirement.
Status: Indicates whether the requirement is completed or not.
Insights: Actionable data tailored to individual requirements, offering further insights on areas requiring attention.
Score: The score associated with each requirement, contributing to your overall security score.
Instructions for implementation: Contains direct links to the instructional resources that help you understand and implement each recommendation. These links are also provided below under Additional resources. These step-by-step guides help you implement each recommendation effectively, thereby elevating your security.
Actionable steps: Links to a page where the requirement can be resolved.
Note
If you do not have the right role or access you will need to contact the right person in your organization.
Future requirements section
The Future requirements section shows a preview of requirements that will be implemented in the near future. Requirements that aren't complete will deduct points from the overall score at a future date.
How your security score is calculated
The Security Score is a decimal (floating point integer) value between 0 and 100. The score reflects your tenant's security posture.
The Security Score is computed using the security scores of individual security requirements. Every security requirement is granted a max score that's between zero and 20. The max score for a security requirement is decided based on the relative weight of that requirement compared to the other requirements. The max score is subject to change based on changing business priorities.
The current calculation algorithm grants a max score for a compliant requirement, zero otherwise.
The overall security score is calculated using the following formula: (sum of individual security requirement scores) / (sum of individual security requirement max scores) * 100.
Security requirements and implementation instructions
How do I implement the security requirements?
Note
Third-party MFA solutions such as Okta, Ping, Duo, and more aren't supported within the identity MFA recommendations. Third-party MFA solutions aren't factored into requirement score calculations.
Requirement: Enable MFA
Security Score points: 20
Requiring multifactor authentication (MFA) for administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed.
At a minimum, protect the following roles:
- Global administrator
- Authentication administrator
- Billing administrator
- Conditional Access administrator
- Exchange administrator
- Helpdesk administrator
- Security administrator
- SharePoint administrator
- User administrator
Implementation steps
Note
To be considered complete for this requirement, you need to ensure that every admin user has been covered by the MFA requirement via Security Defaults / Conditional Access / per-user MFA and that each of them has actually set up additional verification factors (e.g., a device of their choice for verification prompts).
This includes break-glass accounts. To learn more, see Manage emergency access admin accounts - Microsoft Entra ID.
- Microsoft provides step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard.
- If you would like to perform the implementation yourself and you're using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can't be used side by side. To learn more, see Enable security defaults
- If you've invested in Microsoft Entra ID P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template.
- Keep track of your admin's progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID P1 or P2 licenses). Go to User registration details.
Resources
- How MFA works
- Plan a Microsoft Entra multifactor authentication deployment
- What are security defaults?
- Manage emergency access accounts in Microsoft Entra ID
Requirement: Response to alerts is 24 hours or less on average
Security Score points: 20
Alerts must be triaged and responded to within 24 hours of appearing in Partner Center, with a goal of responding within 1 hour. This ensures immediate protection for customer tenants and minimizes financial loss. Response time is measured from the time the alert appears in Partner Center to when a Partner user makes a change to the alert, such as updating its status or reason code. The average response time is calculated based on the last 30 days of activity.
Implementation steps
- Ensure you have a Partner Center Security contact configured as this email address will receive notification of alerts by default. You can use a shared mailbox or a mailbox that feeds a ticketing system.
- Maintain a documented incident response playbook that defines the roles, responsibilities, response plans, and contact information.
- Specify a reason code for each alert. Microsoft uses your feedback to measure the efficacy of the alerts generated.
Resources
Requirement: Provide a security contact
Security Score points: 10
When any security related issue happens on a Cloud Solution Provider (CSP) partner tenant, Microsoft should be able to communicate the issue and recommend appropriate steps to a designated security contact in a partner organization who will act with urgency to mitigate and remediate security concerns as soon as possible.
Global admins or other roles within Partner Center do not have the necessary expertise or reach to act on important security related incidents. All partners should update the security contact for their partner tenant.
The security contact is either an individual or a group of people that are accountable for security related issues within the partner organization.
Implementation steps
Populate the email, phone number and name of the individual or shared mailbox responsible for responding to security incidents in your company.
Resources
Requirement: All Azure subscriptions have a spending budget
Security Score points: 10
Tracking the usage of your customer's Azure subscription helps you help your customer manage their Azure usage and avoid higher than anticipated charges. You should discuss with your customers their monthly spending expectations and set a spending budget on their subscription. Notifications can also be configured to be sent to you when a customer uses over 80% or more of the configured spending budget. Spending budget does not place a ceiling on the spending, so it's important to notify your customer when they reach 80% usage so they can plan to shut down resources or expect a higher bill.
Note
Partners who are on NCE (New Commerce Experience) and have a spending budget set up will receive score points towards this requirement. However, partners on Legacy will not receive any points.
Implementation steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for