Forum Discussion

Copper Contributor

May 21, 2025

Solved

Requirement: Users with administrative roles in the customer tenants must use MFA

I have 4 customers who are showing as not meeting this requirement, I know one of the 4 that we're working with the customer to resolve but the other 3 I cannot for the life of me locate. The majorit...

CSP

Indirect

Indirect reseller

JillArmourMicrosoft
Jun 04, 2025
Response from the team: :)

How do I achieve a passing security score?

To achieve a passing security score, partners must complete the following mandatory security requirements:

Enable MFA for all administrative roles (on the partner CSP tenant)

Add a Security contact

Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)

Is achieving an 80% secure score required to maintain CSP authorization?

No, achieving an 80% secure score is not required. However, partners must meet all mandatory security requirements to maintain their CSP authorization. These include:

Enable MFA for all administrative roles (on the partner CSP tenant)

Add a Security contact

Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)

JillArmourMicrosoft

Community Manager

Jun 03, 2025

I am going to forward this to the team and see if they have any resources to share with you. -jill

Greg-Mega

Copper Contributor

Jun 03, 2025

Painfully, I have my problem solved for now but really these "Insights" are near useless, really need to see some improvements so they are actually even worth having.

Juval
Brass Contributor
Jun 04, 2025
Did you Greg just manually go through all the clients as you said and tick a box on excel once that customer was reviewed? Or how did you end up going about this?
- Greg-Mega
  Copper Contributor
  Jun 04, 2025
  Yep! I had a spreasheet with
  Client Name
  Security Defaults Enabled (Y\N)
  Condiditional Access Enabled (Y\N)
  No of Actual Admins (determined by going through the role assignments in Entra ID)
  No of Admins with MFA (From Partner Portal)
  Tenant Identity Score value for "Admins with MFA Enabled" as a checksum, which can be dealyed 48 hours.
  Where I was stuck was I had clients with Conditional Access policies that excluded users the fix was to create a secondary Conditional Access Policy to include that user by bypas MFA for other reasons (trusted sites in my case) as the client had a SharePoint\Teams Administrator bypassing MFA because they used Power Automate Desktop and there was a bug with MFA with it deauthorizing them. If you land in this potential situation, use the "What If" Policy Test tool to ensure the user is being caught by a conditional access policy.
  I found that in my testing Security Defaults and Conditional access itself being enabled isnt looked at, Legacy MFA enforcement was OK, the MFA just needed to be enforced somehow be it with Security Defaults, COnditional Access or Legacy MFA for the Admin user, not that you should use Legacy MFA as its being retired very soon.
  It was very time consuming, a lot of time spent on my laptop on the couch at night going through this.