Share via


Common questions about partner security requirements

Appropriate roles: All Partner Center users

This article answers some common questions about the partner security requirements in the Account settings workspace.

What are the partner security requirements and why should partners implement them?

We see an increasing number of increasingly sophisticated security attacks - primarily attacks related to identity compromise.

We introduced mandatory security requirements because preventive controls play a key role in an overall defense strategy. All partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisors must implement those security requirements to stay compliant.

What are the timelines and milestones for implementing security requirements?

The terms associated with the security requirements, including timelines and milestones, are included with the Microsoft Partner Agreement. You must implement those security requirements as soon as possible to stay compliant so you can participate in the CSP program.

What happens if I don't implement the partner security requirements?

The Microsoft Partner Agreement requires that you enforce multifactor authentication for user accounts, and that you adopt the secure application model for interacting with the Partner Center API.

Partners who don't abide by those security practices can lose the ability to transact in the CSP program or manage customer tenants using delegate admin rights.

Do the security requirements apply to all geographies?

Yes. (Although Azure Government isn't currently required to meet the security requirements, we strongly recommend that all partners adopt these security requirements immediately.)

Is it possible to get an exclusion for an account?

No, it isn't possible to exclude any user account from the requirement of having multifactor authentication (MFA) enforced. Given the highly privileged nature of being a partner, the Microsoft Partner Agreement requires that multifactor authentication is enforced for each user account in your partner tenant.

How do I know if I meet the partner security requirements?

To meet the partner security requirements, use the following steps:

To help identify areas where you can take actions, we provide the security requirements status report at Partner Center.

Required actions

What actions I need to take to meet security requirements?

All partners in the CSP program (direct-bill, indirect provider, and indirect reseller), Advisors, and Control Panel Vendors must meet the requirements.

  1. Enforce MFA for all users

    All partners in the CSP program, Advisors, and Control Panel Vendors are required to enforce MFA for all users in their partner tenant.

    Other considerations:

    • Indirect providers need to work with indirect resellers to onboard to Partner Center, if they haven't done so already, and encourage their resellers to meet the requirements.
    • Microsoft Entra multifactor authentication is available to users in the partner tenant at no cost through Microsoft Entra security defaults, with the only verification method of an authenticator application that supports time-based, one-time passwords (TOTP).
    • Other verification methods are available through the Microsoft Entra P1 or P2 SKUs, if other methods such as a phone call or text message are required.
    • Partners can also use a third-party MFA solution for each account when accessing Microsoft commercial cloud services.
  2. Adopt the Secure Application Model framework

    Partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, and so on) or implemented custom automation using tools such as PowerShell, must adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so can result in a disruption due to MFA deployment.

    The following resources provide an overview and guidance about how to adopt the model.

    Consult with the vendor if you're using a control panel regarding the adoption of the Secure Application Model framework.

    Control panel vendors are required to onboard to Partner Center as control panel vendors and to start implementing this requirement immediately. Refer to the Partner Center: Secure Application Model framework.

    Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Multifactor authentication

What is multifactor authentication (MFA)?

MFA is a security mechanism to authenticate individuals using more than one required security and validation procedure. It works by requiring two or more of the following authentication methods:

  • Something you know (typically a password)
  • Something you have (a trusted device that isn't easily duplicated, like a phone)
  • Something you are (biometrics)

Is there a cost for enabling MFA?

Microsoft provides MFA at no cost through the implementation of Microsoft Entra security defaults. The only verification option available using this version of MFA is an authenticator application.

  • If a phone call or SMS message is required, then a Microsoft Entra P1 or P2 license must be purchased.
  • Alternatively, you can utilize a third-party solution to provide MFA for each user in your partner tenant. In that case, it is your responsibility to ensure your MFA solution is being enforced and that you're compliant.

What actions do I need to take if I already have an MFA solution?

Users in a partner tenant must authenticate using MFA when accessing Microsoft commercial cloud services. Third-party solutions can be used to fulfill these requirements. Microsoft no longer provides validation testing to independent identity providers for compatibility with Microsoft Entra ID. To test your product for interoperability, see Microsoft Entra identity Provider Compatibility Docs.

Important

If you're using a third-party solution, it's important to verify that the solution is issuing the authentication method reference (AMR) claim that includes the MFA value. For details about how validating your third-party solution is issuing the expected claim, see Testing the Partner Security Requirements.

I use multiple partner tenants to transact. Do I need to implement MFA on all of them?

Yes. You must enforce MFA for each Microsoft Entra tenant associated with the CSP program or the Advisor program. To purchase a Microsoft Entra ID P1 or P2 license, you must purchase a Microsoft Entra ID license for the users in each Microsoft Entra tenant.

Does each user account in my partner tenant need to have MFA enforced?

Yes. Each user must have MFA enforced. However, if you're using Microsoft Entra security defaults, no other action is required because that feature enforces MFA for all user accounts. Enabling security defaults is a free and easy way to ensure that your user accounts are MFA-compliant and not affected when MFA is enforced.

I'm a direct-bill partner with Microsoft. What do I need to do?

Direct-bill Cloud Solution Provider partners must enforce MFA for each user in their partner tenant.

I'm an indirect reseller and only transact through a distributor. Do I still have to do enable MFA?

Yes. All indirect resellers are required to enforce MFA for each user in their partner tenant. The indirect reseller must enable MFA.

I don't use the Partner Center API. Do I still need to implement MFA?

Yes. This security requirement is for all users, including Partner admin users and end users in a partner tenant.

Which third-party vendors provide MFA solutions compatible with Microsoft Entra ID?

When you're reviewing MFA vendors and solutions, you must ensure that the solution you choose is compatible with Microsoft Entra ID.

Microsoft no longer provides validation testing to independent identity providers for compatibility with Microsoft Entra ID. If you want to test your product for interoperability, refer to Microsoft Entra identity Provider Compatibility Docs.

For more information, see the Microsoft Entra federation compatibility list.

How can I test MFA in our integration sandbox?

The Microsoft Entra security defaults feature should be enabled. Alternatively, you can use a third-party solution that uses federation.

Will enabling MFA affect how I interact with my customer's tenant?

No. The fulfillment of these security requirements won't affect how you manage your customers. Your ability to perform delegated administrative operations won't be interrupted.

Are my customers subject to the partner security requirements?

No. You aren't required to enforce MFA for each user in your customer's Microsoft Entra tenants. However, we recommend that you work with each customer to determine how best to protect their users.

Can any user be excluded from the MFA requirement?

No. Every user in your partner tenant, including service accounts, must authenticate using MFA.

Do the partner security requirements apply to the integration sandbox?

Yes. That means you must implement the appropriate MFA solution for users in the integration sandbox tenant. We recommend that you implement Microsoft Entra security defaults to provide MFA.

How do I configure an emergency access ("break glass") account?

It's considered a best practice to create one or two emergency access accounts to prevent being inadvertently locked out of your Microsoft Entra tenant. With respect to the partner security requirements, it's required that each user authenticates using MFA. This requirement means you need to modify the definition of an emergency access account. It could be an account that uses a third-party solution for MFA.

Is Active Directory Federation Service (ADFS) required if I'm using a third-party solution?

No. It isn't required to have Active Directory Federation Service (ADFS) if you're using a third-party solution. It's recommended that you work with the vendor of the solution to determine what the requirements for their solution are.

Is it a requirement to enable Microsoft Entra security defaults?

No.

Can conditional access be used to meet the MFA requirement?

Yes. You can use conditional access to enforce MFA for each user, including service accounts, in your partner tenant. However, given the highly privileged nature of being a partner, we need to ensure that each user has an MFA challenge for every single authentication. That means that you can't use the feature of conditional access that circumvents the requirement for MFA.

Will the service account used by Microsoft Entra Connect be affected by the partner security requirements?

No. The service account used by Microsoft Entra Connect won't be affected by the partner security requirements. If you experience an issue with Microsoft Entra Connect as result of enforcing MFA, then open a technical support request with Microsoft support.

Secure Application Model

Who should adopt the secure application model to meet the requirements?

Microsoft has introduced a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that uses multifactor authentication. For more information, see the Secure Application Model guide. All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, and so on) or implemented custom automation using tools such PowerShell, will need to adopt the Secure Application Model framework to integrate with Microsoft cloud services.

What is the Secure Application Model?

Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider (CSP) partners and Control Panel Vendors (CPV) that uses multifactor authentication. For more information, see the Secure Application Model guide.

How do I implement the Secure Application Model?

All partners who have developed custom integration using any APIs (such as Azure Resource Manager, Microsoft Graph, Partner Center API, and so on) or implemented custom automation using tools such PowerShell, must adopt the Secure Application Model framework to integrate with Microsoft cloud services. Failure to do so can result in a disruption due to MFA deployment.

The following resources provide an overview and guidance regarding how to adopt the model:

If you're using a control panel, you need to consult with the vendor regarding the adoption of the Secure Application Model framework.

Control panel vendors are required to onboard to Partner Center as a control panel vendor and start implementing this requirement immediately.

Refer to the Partner Center: Secure Application Model framework. Control panel vendors must accept and manage CSP partners' consent instead of credentials and purge all existing CSP partners' credentials.

Does the Secure Application Model need to be implemented for the Partner Center API/SDK only?

By enforcing multifactor authentication for all user accounts, any automation or integration that is intended to run non-interactively is affected. Although the partner security requirements require you to enable the secure application model for the Partner Center API, it can be used to address the need for a second factor of authentication with automation and integration.

Note

Resources being accessed must support access token-based authentication.

I'm using automation tools such as PowerShell. How do I implement the Secure Application Model?

You must implement the Secure Application Model if your automation runs non-interactively and relies on user credentials for authentication. See Secure Application Model | Partner Center PowerShell for guidance on how to implement this framework.

Note

Not all automation tools can authenticate using access tokens. Post a message on the Partner Center Security Guidance group if you need help understanding what changes need to be made.

It's recommended that you use a service account that has been assigned the least privileged permissions. With respect to the Partner Center API, you should use an account that has either been assigned to the Sales agent or Admin agent role.

It's a best practice to use a least-privileged identity because doing so reduces risk. It's not recommended to use an account that has Global admin privileges because that provides more permissions than are required.

I'm a CSP partner. How do I know if my Control Panel Vendor (CPV) is working on implementing the solution or not?

For partners using a Control Panel Vendor (CPV) solution to transact in the Cloud Solution Provider (CSP) program, it's your responsibility to consult with your CPV.

What is a control panel vendor (CPV)?

A control panel vendor is an independent software vendor that develops apps for use by CSP Partners to integrate with Partner Center APIs. A control panel vendor isn't a CSP Partner with direct access to the Partner Center or APIs. A detailed description is available within the Partner Center: Secure Applications Model guide.

I'm a CPV. How do I enroll?

To enroll as a control panel vendor (CPV), follow the guidelines in Enroll as a Control Panel Vendor to help integrate CSP partner systems with Partner Center APIs.

After you enroll in Partner Center and register your applications, you'll have access to Partner Center APIs. You'll receive your sandbox information in a Partner Center notification if you're a new CPV. After you've completed enrollment as a Microsoft CPV and accepted the CPV agreement, you can:

  • Manage multitenant applications (add applications to Azure portal, and register and unregister applications in Partner Center).

    Note

    CPVs must register their applications in Partner Center to get authorized for Partner Center APIs. Adding applications to the Azure portal alone doesn't authorize CPV applications for Partner Center APIs.

  • View and manage your CPV profile.

  • View and manage your users who need access to CPV capabilities. A CPV can only have the role Global admin.

I'm using the Partner Center SDK. Will the SDK automatically adopt the Secure Application Model?

No. You must follow the guidelines in the Secure Application Model guide.

Can I generate a refresh token for the secure application model with accounts that don't have MFA enabled?

Yes. A refresh token can be generated using an account that doesn't have MFA enforced. However, doing so should be avoided. Any token generated using an account that doesn't have MFA enabled won't be able to access resources due to the requirement for MFA.

How should my application obtain an access token if we enable MFA?

Follow the Secure Application Model guide that provides detail on how to do so while complying with the new security requirements. You can find .NET sample code at Partner Center DotNet Samples - Secure App Model and Java sample code at Partner Center Java Samples.

As a CPV, do I create a Microsoft Entra application in our CPV tenant or the tenant of the CSP partner?

The CPV must create the Microsoft Entra application in the tenant associated with their enrollment as a CPV.

I'm a CSP who is using app-only authentication. Do I need to make any changes?

App-only authentication isn't affected because user credentials aren't used to request an access token. If user credentials are being shared, then control panel vendors (CPVs) must adopt the Secure Application Model framework and purge any existing partner credentials they have.

As a CPV, can I use the app-only authentication style to get access tokens?

No. Control Panel Vendor partners can't utilize the app-only authentication style to request access tokens on the behalf of partner. They should implement the secure application model, which utilizes the app + user authentication style.

Technical enforcement

What is the activation of security safeguards?

All partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors (CPVs), and Advisors should implement the mandatory security requirements to stay compliant.

To provide more protection, Microsoft began the activation of security safeguards that helps partners secure their tenants and their customers by mandating multifactor authentication (MFA) verification to prevent unauthorized access.

We successfully completed the activation for admin-on-behalf-of (AOBO) capabilities to all partner tenants. To further help protect partners and customers, we'll begin the activation for Partner Center transactions in CSP, helping partners protect their businesses and customers from identity-theft related incidents.

For more information, see Mandating Multifactor Authentication (MFA) for your partner tenant page.

I'm using a third-party MFA solution and I'm being blocked. What should I do?

To validate that the account accessing resources was challenged for multifactor authentication, we check the authentication method reference claim to see if MFA is listed. Some third-party solutions don't issue this claim or don't include the MFA value. If the claim is missing, or if the MFA value isn't listed, there isn't a way to determine whether the authenticated account was challenged for multifactor authentication. You'll need to work with the vendor for your third-party solution to determine which actions to take so the solution issues the authentication method reference claim.

If you're unsure whether your third-party solution is issuing the expected claim or not, see Testing the Partner Security Requirements.

MFA is blocking me from supporting my customer using AOBO. What should I do?

The technical enforcement for the partner security requirements is checked if the authenticated account has been challenged for multifactor authentication. If the account hasn't been checked, you'll be redirected to the sign-in page and prompted to authenticate again.

For more experience and guidance, see Mandating Multifactor Authentication (MFA) for your partner tenant.

In a scenario in which your domain isn't federated, after successfully authenticating, you'll be prompted to set up multifactor authentication. After that is completed, you'll be able to manage your customers using AOBO. In a scenario in which your domain is federated, you'll need to ensure the account is being challenged for multifactor authentication.

Security defaults transition

How can I transition from baseline policies to security defaults or other MFA solutions?

Microsoft Entra ID "baseline" policies are being removed and replaced with "security defaults," a more comprehensive set of protection policies for you and your customers. Security defaults can help protect your organization from identity-theft related security attacks.

Your multifactor authentication (MFA) implementation will be removed due to the baseline policies retirement if you haven't transitioned from baseline policies to the security defaults policy or other MFA implementation options. Any users in your partner tenants performing MFA protected operations will be requested to complete MFA verification. For more detailed guidance, see Mandating multifactor authentication for your partner tenant.

To stay compliant and minimize disruptions, use the following steps:

  • Transition to security defaults
    • Security defaults policy is one of the options that partners can choose to implement MFA. It offers a basic level of security enabled at no extra cost.
    • Learn how to enable MFA for your organization with Microsoft Entra ID, and review the security defaults key considerations.
    • Enable security defaults policy if it meets your business needs.
  • Transition to Conditional Access
    • If security defaults policy doesn't serve your needs, enable Conditional Access. For more information, review the Microsoft Entra Conditional Access documentation.

Key resources

How do I get started?

What are resources for adopting the secure application model?

Support

Where can I get support?

For support resources to meet the security requirements:

  • If you have Advanced Support for Partners (ASfP), contact your Service Account Manager.
  • For Premier Support for Partners agreement (PSfP), contact your Service Account Manager and Technical Account Manager.

How do I get technical information and support to help me adopt the secure application model framework?

Technical product support options for Microsoft Entra ID are available through your Microsoft AI Cloud Partner Program benefits. Partners with access to an active ASfP or PSfP subscription can work with their associated account manager (SAM/TAM) to understand the best options available to them.

How do I contact support if I lose access to Partner Center?

If you lose access due to an MFA issue, contact the Security Administrator for your tenant. Your internal IT department can tell you who your Security administrator is.

If you forgot your password, see Unable to sign in for help.

Where can I find more information about common technical issues?

Information regarding the common technical issues can be found in Partner security requirements for partners using Partner Center or Partner Center APIs