CSP Partner Mandatory Security Requirements

New climate, new security 

Microsoft runs on trust and is committed to providing a trusted set of cloud services and platforms. Greater security and privacy safeguards are among our top priorities. Our goal is to enable partners and customers to adopt advanced security technologies and best practices that help protect them from security threats.  

To protect partner infrastructure and safeguard customer data, Microsoft has introduced a set of mandatory security requirements for Advisors, Control Panel vendors, and partners participating in the Cloud Solution Provider Program (CSP) 

What are the mandatory service requirements?

Starting on August 1, 2019 all partners participating in the Cloud Solution Provider program and Advisors are required to integrate baseline security measures by enabling multi-factor authentication (MFA) and adopting the Secure Application Model. 

Enable MFA 

Administrator accounts hold a great deal of power and access, making them a valuable target of cyber attackers. Regular users are also on the radar of bad actors, who can use account access to gather privileged information, download the entire directory, and perform ever-sophisticated phishing scams.  

A common way to protect these privileged accounts is to put in place a stronger form of account verification. MFA for admins requires multi-factor authentication for the most privileged Azure AD roles, and end-user protection shields all users in a directory.  

Adopt the Secure Application Model 

Marketplace applications, by design, must impersonate Cloud Solution Provider (CSP) partner privileges in order to call Microsoft APIs, incidentally opening up customer data to compromise in the event of a security breachThe new MFA requirement helps protect this customer data, but also complicates any automation by now requiring a second form of authentication. The Secure Application Model bridges the gap.  

The Secure Application Model was developed to guide appropriate authentication in these non-interactive scenarios.  

Okay, what do I need to do? 

The specific steps you need to take dependon your partner role. Everyone will need to implement MFA, but how you adopt the Secure Application Model can vary. Some partners need to work alongside Control Panel Vendors (CPVs) and adapt app authentications. Microsoft enabled a partner security requirements status report supported via Partner Center. Each time partners sign into Partner Center to work or, through APIs, get or send data through Partner Center, the security status of the corresponding user is challenged and tracked. Also included in security-status tracking, are your applications and any control panel vendor applications. 

Indirect provider

Enable MFA 

  • Enable MFA 
  • Guide your resellers to meet the requirements 

Adopt Secure Application Model 

  • Work with your CPV on credentials handling for partner API/SDK, and custom automation tools 
  • Adopt the new secure app model for app + user authentication style 

Direct bill 

Enable MFA 

  • Enable MFA 

Adopt Secure Application Model 

  • Work with your CPV on credentials handling for partner API/SDK, and custom automation tools 
  • Adopt the new secure app model for app + user authentication style 
  • Stop using app + user flow and basic authentication and consider using access token authentication (if supported) for custom automation tools.  

Indirect reseller

Enable MFA 

  • Enable MFA 

Adopt Secure Application Model 

  • Work with your CPV on credentials handling for partner API/SDK, and custom automation tools 
  • Adopt the new secure app model for app + user authentication style 

Control Panel Vendors 

Enable MFA 

  • Enable MFA 

Adopt Secure Application Model 

  • Adopt the new secure app model for app + user authentication style  
  • Stop using app + user flow and basic authentication and consider using access token authentication (if supported) for custom automation tools. 

Advisors

Enable MFA 

  • Enable MFA 

Adopt Secure Application Model 

  • Stop using app + user flow and basic authentication and consider using access token authentication (if supported) for custom automation tools. 

You can find more details about the actions you need to take here.  

What if I don’t? 

Partners who do not implement the mandatory security requirements will not be able to transact in the Cloud Solution Provider program or manage customer tenants leveraging delegate admin rights, once these requirements are enforced. We are in the process of establishing a technical enforcement date for the requirements and will notify partners of the date with detailed information. 

I have questions 

These new requirements are designed to safeguard your business and customers. We’re here to help you stay compliant and protect your business and customers. 

Other posts you may like 

The new, streamlined CSP Microsoft Partner Agreement 

The new, streamlined CSP Microsoft Customer Agreement