Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
As a Microsoft Cloud Solution Provider (CSP) partner, you are responsible for your customers' purchases and use of our services. It is important that partners monitor and address anomalous activities from their customers. Microsoft may send partners notifications if we detect suspicious activities, but it is critical that partners use additional methods of monitoring to help detect anomalous customers’ behavior.
Microsoft takes online transaction risk management seriously, and partners should do the same to mitigate business risks. To support partners, Microsoft is sharing a set of recommendations to manage risks when working with customers online. While Microsoft is committed to supporting partners, partners remain financially responsible for fraudulent purchases by their customers and/or customers' nonpayment of purchased services.
Online risk management best practices
This section provides information about the basic aspects of online transaction risk management that partners should be aware of.
See the following table for risk exposure to be mitigated:
| Risk exposure | Definition | Examples |
|---|---|---|
| Abuse of service | Customers or bad actors who use cloud services in violation of Microsoft's Acceptable Use Policy as described in the Online Service Terms. | - Spamming - Hacking - DDOS attacks - Crypto-mining - Malware distribution - Pirated subscriptions resale |
| Theft of service/Fraud* | Customers who demonstrate they have no intention to pay for consumed services and may further use stolen payment instruments, provide false billing information, and/or default on outstanding balances. | - Transactions that don't occur in person - Misrepresented identities - Misrepresented identities - Services provisioned and used with no intention of payment - Automated account creation and purchasing by bad actors |
*Theft of service/fraud might be higher in emerging markets and high-risk regions.
Best Practices for Mitigating Fraud and Abuse Risks
Mitigating fraud and abuse is crucial for maintaining the integrity and security of Microsoft services. Partners can use the following recommendations to help with policy development and practices to reduce exposure to fraud and abuse risks:
- Utilize a comprehensive framework that includes pre-detection, prevention, containment, detection, investigation, and mitigation. This approach ensures that fraud and abuse responses are viewed from multiple angles and that all necessary security measures are in place.
- Subscribe to Microsoft security alert for detections related to unauthorized party abuse and account takeovers; see this guide for instructions.
- Take actions to confirm, contain, and secure a compromise; see this guide for best practices.
- Establish clear reporting and escalation paths for handling fraud and abuse incidents.
- Implement strong identity verification mechanisms to prevent unauthorized access and ensure that only legitimate users interact with cloud services.
- Enable multifactor authentication (MFA) for all administrative users; see this guide for instructions.
- Understand the shared responsibility model between Microsoft customers (including partners) and Microsoft.
- Develop and implement effective fraud and abuse risk management strategies to safeguard your business from fraud and abuse incidents and the financial impacts.
- See best practices for onboarding new customers.
- See best practices for managing customer accounts and billing.
- See CSP security best practices to help with securing your tenants.
- See customer security best practices to help customers monitor and secure their tenants.
Acceptable Use Policy enforcement
- As part of their agreement with Microsoft, partners and their customer are expected to comply with the Acceptable Use Policy as described in the Online Services Terms.
- When Microsoft detects, or is otherwise made aware of, partner or customer activity that we confirm or otherwise suspect violates the Acceptable Use Policy, Microsoft takes enforcement steps.
- Violations of the Acceptable Use Policy might result in suspension of Online Services - suspension can be immediate, if necessary. Otherwise, Microsoft notifies partners requesting action be taken and/or of enforcement actions already taken by Microsoft.
Microsoft notifications
Microsoft implemented a notification service and it's crucial that partners keep email addresses associated with subscription administrators regularly updated:
- Partners should develop and implement processes to quickly receive, review, act on, and respond to Microsoft notifications as necessary.
- If Microsoft detects unusual activity, Microsoft sends notifications to partners in the following scenarios:
- When subscriptions are suspected of or determined to be violating the Acceptable Use Policy for Online Services, and/or
- When subscriptions are associated with suspicious activity (such as fraud/abuse) and pose an immediate risk to Microsoft, partners, and/or customers.
- Customers notifications are sent in the Azure portal via Azure Service Health blade. Learn how to set up alerts in the article Create activity log alerts on service notifications using the Azure portal.
- General Abuse email notifications: Emails are sent from
azsafety@microsoft.comto subscription admins and owners. It's suggested that you add the azsafety@microsoft.com email address to your safe sender list to prevent important emails from going into your spam folder.
Note
Partners should use additional methods to detect anomalous usage and suspicious activities and not rely solely on Microsoft notifications.
Notifications and expected actions
Note
Microsoft makes reasonable efforts to notify partners if a subscription associated with their customer is showing risky or suspicious activities; however, partners should not rely exclusively on Microsoft notifications. Use other methods of monitoring to detect anomalous customer behavior.
When applicable, partners should respond to Microsoft security notifications, evaluate customers who are found in violation of the Acceptable Use Policy to determine if they pose additional risks to their business and complete any required security notification tasks.
When appropriate, Partners should take action to notify their customers who are found to be in violation of the Acceptable Use Policy.
| Risk event | Notifications and/or expected actions* |
|---|---|
| Activities that pose an immediate risk to Microsoft, partners, and/or customers |
|
| Ongoing suspicious security activities |
|
| Violation of Acceptable use policy |
|
*Email notifications are sent to the listed administrators of the subscription. Partners should ensure that email contact information is updated regularly.
**Certain violations can result in immediate suspension and/or disablement of the offending subscription.
When partners detect suspicious usage
Partners are financially responsible for their customers' fraudulent purchases and nonpayment of purchased services. Partners should implement fraud prevention and detection risk-mitigation controls such as the suggestions outlined in this guide.
- If a partner proactively detects suspicious activity, they should immediately investigate and take appropriate actions to mitigate risk:
- Investigation might include reviewing the customer's account sign-in activity, invoice payment history, frequent changes in payment instruments and/or previous subscription usage patterns, as suggested as best practices previously.
- Mitigation actions might include remediation of compromised identities, cleanup of compromised resources and strengthening of security posture. For more information, see What should you do if an Azure subscription is compromised?.
- Partners can also submit a Service Request in Partner Center if they have other questions or concerns about suspicious activity.