Online transaction risk management guide

Important

As a Microsoft partner in the Cloud Solution Provider (CSP) program, you're responsible for your customers' purchases and use of our services. It’s important that partners monitor and address anomalous activities from their customers. Microsoft may send partners notifications if we detect suspicious activities, but it’s critical that partners use additional methods of monitoring to help detect anomalous customers’ behavior.

Microsoft takes online transaction risk management seriously, and partners should do the same to mitigate business risks. To support partners, Microsoft is sharing a set of recommendations to manage risks when working with customers online. While Microsoft is committed to supporting partners, partners remain financially responsible for fraudulent purchases by their customers and/or customers' nonpayment of purchased services.

Online risk management best practices

This section provides information about the basic aspects of risk management that you should be aware of, along with suggestions for best practices.

See the following table for risk exposure to be mitigated:

Risk exposure Definition Examples
Abuse of service Customers or bad actors who use cloud services in violation of Microsoft's Acceptable Use Policy - Spamming
- Hacking
- DDOS attacks
- Crypto-mining
- Malware distribution
- Pirated subscriptions resale
Theft of service* Customers who demonstrate they have no intention to pay for consumed services, use stolen payment instruments, provide false billing information, and/or default on outstanding balances - Transactions that don't occur in person
- Misrepresented identities
- Services provisioned and used with no intention of payment
- Automated account creation and purchasing by bad actors

*Theft of service might be higher in emerging markets and high-risk regions.

Best practices

Microsoft recommends partners implement the following protocols throughout the lifecycle of the customer relationship:

  • Onboard new customers
    • Establish personal relationships with customers, when possible (for example, contact by phone).
    • Look for better ways to verify customers'credentials and background (Credit Bureaus/Business Commercial Report Agencies).
    • Use multifactor authentication (MFA) during sign-up to minimize exposure to robotic account creation and purchasing.
    • Require customers to monitor and secure their tenants** by following security best practices.
    • Manage and track identities using services such as digital identity services.
    • Assess customer financial strength through rigorous credit card fraud detection systems.
    • Establish a clear collections policy. Detail collections processes, and when access to subscriptions is affected by nonpayment.
  • Manage customers accounts
    • Implement a process to quickly receive, review, act on, and respond to Microsoft notifications.
    • Work with customers to understand their cloud usage business needs and set appropriate monitoring thresholds. (For example, partners can set a monthly Azure spending budget in Partner Center.
    • Monitor customer activity logs regularly to help detect fraud early.
    • Take quick action when suspicious activities are detected.
    • Avoid giving customers full administrative access to subscriptions without first implementing risk mitigation controls.
  • Manage customer billing
    • Request prepayment before initial transactions and billing.
    • Don't accept high-risk payment instruments (such as prepaid cards or stored-value cards).
    • Monitor customer payments and aging accounts receivables. Aggressively enforce standardized dunning processes for late payments or nonpayment.

Suggestions for customer onboarding best practices

This section provides best practices for customer onboarding. Sections include information about Short Message Service (SMS) verification, end-user identity management, and knowing your customer when onboarding.

SMS (text) verification

During the sign-up process, end customers are presented with a "Proof that you aren't a robot" page, that initiates a customer verification via SMS (text):

  • Using an SMS verification solution helps partners mitigate the risk of customer sign-ups occurring through robotic methods. SMS verification also helps prevent bad actors being able to easily create multiple accounts (for example, fake sign-ups).
  • During the sign-up process, partners can choose to confirm if a person is on the other end of the transaction. The verification is accomplished by requiring the customer to provide a mobile number to which a one-time passcode is sent via SMS.
  • Additionally, SMS verification can also be used as part of a multifactor authentication (MFA) sign-in process for established customers.

End-user identity management

The best practices to mitigate the risk of identify fraud are:

  • One way to manage and track a customer's identity is by using a Digital Identity Service.
  • A digital identity is a unique signature of an individual user and/or device at the other end of an online transaction.
  • Digital Identity Services enables partners to better identify customers beyond simple identifiers such as an email address, physical address, and so on.
  • Partners can validate the identity of customers and identify potential bad actors by using third-party tools.

Know your customer when onboarding

It's important that partners take extra steps to verify the identity and financial strength, when possible, of individuals and companies that want to purchase online services. The best practices are:

  • Build personal relationships with customers, for example, contact by phone, meet in person, and so on.
  • Require a credit card during sign-up; don't accept stored-valued cards or prepaid credit cards as a payment method.
  • Implement rigorous credit card fraud detection systems to ensure the customer presenting the payment instrument is an authorized user; review financial reports from credit bureaus.
  • Validate customers' credentials and background in trusted places like Business Commercial Report Agencies.

Suggestions for customer post-purchase best practices

Know your customer

It's the best practice to implement usage monitoring for services, even if those services aren't billed by consumption. But this practice is especially true for consumption billed service such as Azure where billing occurs after usage.

  • Building on the "know your customer" strategy, partners should work closely with customers to understand the fundamental business needs of their cloud services usage.
  • Avoid giving customers full admin access to subscriptions without first implementing risk mitigation controls, such as the best practices in this guide.
  • To monitor customer-level usage for the various business needs of the customer, use the Microsoft Azure Management Portal and the available usage reporting capabilities.
  • Subscribe to new security alerts which is one of the many ways Microsoft supports partners in securing their customers' tenants. Alerts should be investigated and remediated quickly If necessary, partners can suspend affected Azure resources or Azure subscriptions to mitigate an issue.

Billing

In the Cloud Solution Provider program, Microsoft doesn't bill the end-customer. The partner is required to set up and process billing.

Partners should implement the following protocols in their billing process:

  • Secure payments upfront in advance of billing by requesting customers submit prepayments to fund their account activity.
  • Avoid accepting high-risk payment instruments such as prepaid or stored-value cards as the amount on the cards can't be verified and might not be enough to cover customer purchase costs.
  • Closely monitor customer payments and aging accounts receivable, aggressively enforce standardized dunning processes for late or nonpayment, including suspension of subscriptions and services until payments on outstanding balances are received.

Microsoft notifications

Microsoft implemented a notification service and it's crucial that partners keep email addresses associated with subscription administrators regularly updated:

  • Partners should develop and implement processes to quickly receive, review, act on, and respond to Microsoft notifications as necessary.
  • If Microsoft detects unusual activity, Microsoft sends notifications to partners in the following scenarios:
    • When subscriptions are suspected of or determined to be violating the Acceptable Use Policy for Online Services, and/or
    • When subscriptions are associated with suspicious activity (such as fraud/piracy) and pose an immediate risk to Microsoft, partners, and/or customers.
  • Customers notifications are sent in the Azure portal via Azure Service Health blade. Learn how to set up alerts in the article Create activity log alerts on service notifications using the Azure portal.
  • General Abuse email notifications: Emails are sent from azsafety@microsoft.com to subscription admins and owners. It's suggested that you add the azsafety@microsoft.com email address to your safe sender list to prevent important emails from going into your spam folder.

Note

Partners should use additional methods to detect anomalous usage and suspicious activities and not rely solely on Microsoft notifications.

Acceptable Use Policy enforcement

  • As part of their agreement with Microsoft, partners and their customer are expected to comply with the Acceptable Use Policy as described in the Online Services Terms.
  • When Microsoft detects, or is otherwise made aware of, partner or customer activity that we confirm or otherwise suspect violates the Acceptable Use Policy, Microsoft takes enforcement steps.
  • Violations of the Acceptable Use Policy might result in suspension of Online Services - suspension can be immediate, if necessary. Otherwise Microsoft notifies partners requesting action be taken and/or of enforcement actions already taken by Microsoft.

Notifications and expected actions

Note

Microsoft makes reasonable efforts to notify partners if a subscription associated with their customer is showing risky or suspicious activities; however, partners shouldn't rely exclusively on Microsoft notifications. Use other methods of monitoring to detect anomalous customers' behavior.

Partners should evaluate customers who are found to be in violation of the Acceptable Use Policy to determine if they pose any additional risks to their business.

Risk event Notifications and/or expected actions*
Activities that pose an immediate risk to Microsoft, partners, and/or customers
  • Microsoft will NOTIFY partner via Azure portal or Partner Center portal of the high-risk subscription
  • Partner must INVESTIGATE and SUSPEND all other customer subscriptions of the customer account if it's determined by the partner to be fraudulent
  • Microsoft might DISABLE high-risk subscriptions immediately**
Ongoing suspicious security activities
  • While it's the partner's responsibility to implement and maintain fraud prevention and detection risk controls, Microsoft might NOTIFY partner, via email, of the suspicious activity
  • Microsoft might DISABLE high-risk subscriptions if no action is taken by the partner
  • In the future, Microsoft might offer other tools and/or detection capabilities for partners
Violation of Acceptable use policy
  • Microsoft will NOTIFY partner via email of the violation
  • Partner will SUSPEND the offending asset and respond to Microsoft's notification within 48 hours or the next business day
  • Microsoft might DISABLE high-risk subscriptions if no action is taken by the partner

*Email notifications are sent to the listed administrators of the subscription. Partners should ensure that email contact information is updated regularly.
**Certain violations can result in immediate suspension and/or disablement of the offending subscription.

When partners detect suspicious usage

Partners are financially responsible for their customers' fraudulent purchases and nonpayment of purchased services. Partners should implement fraud prevention and detection risk-mitigation controls such as the suggestions outlined in this guide.

  • If a partner proactively detects suspicious activity, they should immediately investigate and take appropriate actions to mitigate risk:
    • Investigation might include reviewing the customer's account sign-in activity, invoice payment history, frequent changes in payment instruments and/or previous subscription usage patterns, as suggested as best practices previously.
    • Mitigation actions might include remediation of compromised identities, cleanup of compromised resources and strengthening of security posture. For more information, see What should you do if an Azure subscription has been compromised?.
  • Partners can also submit a Service Request in Partner Center if they have other questions or concerns about suspicious activity.