Академический Документы
Профессиональный Документы
Культура Документы
Requirements
Page 1
Change Record
Date Author Version Change Reference
25 June 2019 Operations 1.0 Announcing the partner security requirements.
Readiness
Page 2
1 Introduction ............................................................................................................................................ 6
What are the new partner security requirements? .............................................................................................6
Who should implement the Secure Application Model to meet the requirement? .....................................13
I use multiple partner tenants to transact, do I need to implement MFA on them all? ..............................13
Does each user in my partner tenant need to have MFA enforced? ..............................................................13
I am an indirect reseller and only transact though a distributor. Do I still have to do this? .......................14
I do not use the Partner Center API. Do I still need to implement MFA? ......................................................14
Which third-party vendors provide MFA solutions compatible with Azure Active Directory? ...................14
Page 3
Does the Secure Application Model need to be implemented for the Partner Center API/SDK only? .....16
I am using automation tools such as PowerShell. How do I implement the Secure Application Model? .16
What user credentials should the application administrator provide when performing the consent
process?..................................................................................................................................................................16
Why should the application administrator not provide global admin user credentials when performing
the consent process? ............................................................................................................................................16
What actions do I need to take to implement a secure applications model if I use Microsoft APIs? ........17
I am a CSP partner. How do I know if my Control Panel Vendor (CPV) is working on implementing the
solution or not? .....................................................................................................................................................18
I am using the Partner Center SDK. Will SDK automatically adopt the Secure Application Model? ..........18
Can I generate a refresh token for the secure application model with accounts that do not have MFA
enabled? .................................................................................................................................................................18
As a CPV, do I create an Azure AD application in our CPV tenant or the tenant of the CSP partner? ......19
I am a CSP that is using app only authentication. Do I need to make any changes? ..................................19
As a CPV can I leverage the app only authentication style to get access tokens? .......................................19
6 Support ................................................................................................................................................... 21
Where can I ask get support? ..............................................................................................................................21
How can I get help with enabling the baseline policies? .................................................................................21
Page 4
Where can I find more information about technical common issues? ..........................................................21
Page 5
Greater security and privacy safeguards are among our top priorities. We know that the
best defense is prevention and that we are only as strong as our weakest link. That’s why
we need everyone in our ecosystem to take action and ensure they have appropriate
security protections in place.
To help safeguard partners and customers, we’re introducing a set of mandatory security
requirements for partners participating in the Cloud Solution Provider (CSP) program,
Control Panel Vendors, and Advisor partners.
Enabling Multi-Factor Authentication (MFA) and adopting the Secure Application Model
framework will help protect your infrastructure and safeguard your customer’s data from
potential security risks such as identify theft or other fraud incidents.
Page 6
• All partner organizations participating in the Cloud Solution Provider (CSP) program
that are transacting using the Microsoft commercial cloud services
o Direct bill partners
o Indirect providers
o Indirect resellers
• All Control Panel Vendors
• All Advisor program partners
All partners transacting through a sovereign cloud (21Vianet, US Government, and Germany)
are not required to meet the new security requirements effective August 1st. However, we
strongly recommend that all partners using a sovereign cloud act and adopt these new
security requirements immediately. Microsoft will provide additional details regarding the
enforcement of these security requirements for sovereign clouds in the future.
Page 7
Page 8
What are the key actions I need to take to meet the requirements?
All partners in the CSP program (direct bill, indirect provider and indirect reseller), Advisors,
and Control Panel Vendors must meet the requirements.
All partners in the CSP program, Advisors, and Control Panel Vendors are required to
enforce MFA for all users in their partner tenant. This can be accomplished by enabling
the Require MFA for admins, the End user protection baseline, and any future baseline
policies. The functionality provided by the baseline policies will continue to evolve to
ensure partners and customers are protected from the ever-changing security threats.
So, it is important that you review the baseline policies documentation to learn more.
• See Baseline policy: Require MFA for admins for details on how to enable the Require
MFA for admin baseline policy.
• See Baseline policy: End user protection for details on how to enable the End user
protection baseline policy.
• Understand the concept of the baseline protection policies
Additional considerations:
• Indirect providers need to work with indirect resellers to onboard to Partner Center
if they have not done so already and encourage their resellers to meet the
requirements.
• Azure MFA is being made available to all users in the partner tenant at no cost
through the baseline policies with the only verification method of using Microsoft
Authenticator App.
• Additional verification methods are available through the Azure Active Directory
Premium SKUs, if other methods such as SMS or email are required.
• Partners can also leverage a third-party MFA solution per each user when accessing
Microsoft commercial cloud services.
All partners who have developed custom integration using any APIs (such as Azure
Resource Manager, Microsoft Graph, Partner Center API, etc.) or implemented custom
automation using tools such PowerShell, will need to adopt the Secure Application
Page 9
If you are using a control panel, then you need to consult with the vendor regarding the
adoption of the Secure Application Model framework.
Page 10
What is MFA?
Multi-Factor Authentication (MFA) is a security mechanism though which individuals are
authenticated through more than one required security and validation procedure. It works
by requiring two or more of the following authentication methods:
Important note: Microsoft baseline policies and related functionalities will continue to
evolve to better protect partners and customers from ever-changing security threats.
There may be some naming and taxonomy changes with the baseline policies soon. We
strongly recommend that you visit the baseline policies pages directly to check out the
latest information.
The Require MFA for admins baseline policy is leveraged to administrative users in the
partner directory, and the End user protection baseline policy is to leveraged to protect non-
administrative users in the partner tenant. Enabling these policies will require users to
Page 11
Page 12
Page 13
I do not use the Partner Center API. Do I still need to implement MFA?
Yes, this security requirement is for all users including partner admin users and end-users in
a partner tenant.
Page 14
The following resources provide an overview and guidance regarding how to adopt the
model.
Page 15
Note, not all automation tools provide the ability to authenticate using access tokens. If you
need help understanding what changes need to be made, please post a message on the
Partner Center Security Guidance group.
Page 16
If you are using a control panel platform, then you need to consult with the vendor regarding
the adoption of the Secure Application Model framework.
Control panel vendors are required to on-board to Partner Center as a control panel vendor
and start implementing this requirement immediately. Refer to the Partner Center: Secure
Application Model framework. Control panel vendors must accept and manage CSP partners’
consent instead of credentials and purge all existing CSP partners’ credentials.
Note, you should create a new service account for any automation and integration where
you can enforce MFA first. Doing this will enable you to test your solution prior to deploying
it to production.
Page 17
In order to receive the enrollment link, CPVs must contact CPVHelp@microsoft.com and
provide a Microsoft employee sponsor who has a business relationship with the CPV or
knows their business. For example, a Partner Development Manager (PDM).
Once you enroll in Partner Center and register your applications, you will have access to
Partner Center APIs. If you are a new CPV, you will receive your sandbox information via a
Partner Center notification. Once you have completed enrollment as a Microsoft CPV and
accepted the CPV agreement, you can:
3. View and manage your users who need access to CPV capabilities. The only role a
CPV can have is Global Admin.
I am using the Partner Center SDK. Will SDK automatically adopt the
Secure Application Model?
No, you will need to follow the guidelines provided in the Secure Application Model guide.
Can I generate a refresh token for the secure application model with
accounts that do not have MFA enabled?
Yes, a refresh token can be generated using an account that does not have MFA enforced.
However, this should not be done because any token generated using an account that does
not have MFA enabled will not be able to access resources due to the requirement for MFA.
Page 18
As a CPV can I leverage the app only authentication style to get access
tokens?
No, Control Panel Vendor partners cannot utilize the app only authentication style to request
access tokens on the behalf of partner. They should implement the secure application model,
which utilizes the app + user authentication style.
Page 19
Page 20
Page 21