Share via


Online transaction risk management guide

Important

As a Microsoft Cloud Solution Provider (CSP) partner, you are responsible for your customers' purchases and use of our services. It is important that partners monitor and address anomalous activities from their customers. Microsoft may send partners notifications if we detect suspicious activities, but it is critical that partners use additional methods of monitoring to help detect anomalous customers’ behavior.

Microsoft takes online transaction risk management seriously, and partners should do the same to mitigate business risks. To support partners, Microsoft is sharing a set of recommendations to manage risks when working with customers online. While Microsoft is committed to supporting partners, partners remain financially responsible for fraudulent purchases by their customers and/or customers' nonpayment of purchased services.

Online risk management best practices

This section provides information about the basic aspects of online transaction risk management that partners should be aware of.

See the following table for risk exposure to be mitigated:

Risk exposure Definition Examples
Abuse of service Customers or bad actors who use cloud services in violation of Microsoft's Acceptable Use Policy as described in the Online Service Terms. - Spamming
- Hacking
- DDOS attacks
- Crypto-mining
- Malware distribution
- Pirated subscriptions resale
Theft of service/Fraud* Customers who demonstrate they have no intention to pay for consumed services and may further use stolen payment instruments, provide false billing information, and/or default on outstanding balances. - Transactions that don't occur in person
- Misrepresented identities
- Misrepresented identities
- Services provisioned and used with no intention of payment
- Automated account creation and purchasing by bad actors

*Theft of service/fraud might be higher in emerging markets and high-risk regions.

Best Practices for Mitigating Fraud and Abuse Risks

Mitigating fraud and abuse is crucial for maintaining the integrity and security of Microsoft services. Partners can use the following recommendations to help with policy development and practices to reduce exposure to fraud and abuse risks:

  • Utilize a comprehensive framework that includes pre-detection, prevention, containment, detection, investigation, and mitigation. This approach ensures that fraud and abuse responses are viewed from multiple angles and that all necessary security measures are in place.
  • Establish clear reporting and escalation paths for handling fraud and abuse incidents.
  • Implement strong identity verification mechanisms to prevent unauthorized access and ensure that only legitimate users interact with cloud services.
  • Understand the shared responsibility model between Microsoft customers (including partners) and Microsoft.
  • Develop and implement effective fraud and abuse risk management strategies to safeguard your business from fraud and abuse incidents and the financial impacts.

Acceptable Use Policy enforcement

  • As part of their agreement with Microsoft, partners and their customer are expected to comply with the Acceptable Use Policy as described in the Online Services Terms.
  • When Microsoft detects, or is otherwise made aware of, partner or customer activity that we confirm or otherwise suspect violates the Acceptable Use Policy, Microsoft takes enforcement steps.
  • Violations of the Acceptable Use Policy might result in suspension of Online Services - suspension can be immediate, if necessary. Otherwise, Microsoft notifies partners requesting action be taken and/or of enforcement actions already taken by Microsoft.

Microsoft notifications

Microsoft implemented a notification service and it's crucial that partners keep email addresses associated with subscription administrators regularly updated:

  • Partners should develop and implement processes to quickly receive, review, act on, and respond to Microsoft notifications as necessary.
  • If Microsoft detects unusual activity, Microsoft sends notifications to partners in the following scenarios:
    • When subscriptions are suspected of or determined to be violating the Acceptable Use Policy for Online Services, and/or
    • When subscriptions are associated with suspicious activity (such as fraud/abuse) and pose an immediate risk to Microsoft, partners, and/or customers.
  • Customers notifications are sent in the Azure portal via Azure Service Health blade. Learn how to set up alerts in the article Create activity log alerts on service notifications using the Azure portal.
  • General Abuse email notifications: Emails are sent from azsafety@microsoft.com to subscription admins and owners. It's suggested that you add the azsafety@microsoft.com email address to your safe sender list to prevent important emails from going into your spam folder.

Note

Partners should use additional methods to detect anomalous usage and suspicious activities and not rely solely on Microsoft notifications.

Notifications and expected actions

Note

Microsoft makes reasonable efforts to notify partners if a subscription associated with their customer is showing risky or suspicious activities; however, partners should not rely exclusively on Microsoft notifications. Use other methods of monitoring to detect anomalous customer behavior.

When applicable, partners should respond to Microsoft security notifications, evaluate customers who are found in violation of the Acceptable Use Policy to determine if they pose additional risks to their business and complete any required security notification tasks.

When appropriate, Partners should take action to notify their customers who are found to be in violation of the Acceptable Use Policy.

Risk event Notifications and/or expected actions*
Activities that pose an immediate risk to Microsoft, partners, and/or customers
  • Microsoft will NOTIFY partner via Azure portal or Partner Center portal of the high-risk subscription
  • Partner must INVESTIGATE and SUSPEND all other customer subscriptions of the customer account if it's determined by the partner to be fraudulent
  • Microsoft might DISABLE high-risk subscriptions immediately**
Ongoing suspicious security activities
  • While it's the partner's responsibility to implement and maintain fraud prevention and detection risk controls, Microsoft might NOTIFY partner, via email, of the suspicious activity
  • Microsoft might DISABLE high-risk subscriptions if no action is taken by the partner
  • In the future, Microsoft might offer other tools and/or detection capabilities for partners
Violation of Acceptable use policy
  • Microsoft will NOTIFY partner via email of the violation
  • Partner will SUSPEND the offending asset and respond to Microsoft's notification within 48 hours or the next business day
  • Microsoft might DISABLE high-risk subscriptions if no action is taken by the partner

*Email notifications are sent to the listed administrators of the subscription. Partners should ensure that email contact information is updated regularly.
**Certain violations can result in immediate suspension and/or disablement of the offending subscription.

When partners detect suspicious usage

Partners are financially responsible for their customers' fraudulent purchases and nonpayment of purchased services. Partners should implement fraud prevention and detection risk-mitigation controls such as the suggestions outlined in this guide.

  • If a partner proactively detects suspicious activity, they should immediately investigate and take appropriate actions to mitigate risk:
    • Investigation might include reviewing the customer's account sign-in activity, invoice payment history, frequent changes in payment instruments and/or previous subscription usage patterns, as suggested as best practices previously.
    • Mitigation actions might include remediation of compromised identities, cleanup of compromised resources and strengthening of security posture. For more information, see What should you do if an Azure subscription is compromised?.
  • Partners can also submit a Service Request in Partner Center if they have other questions or concerns about suspicious activity.