Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

%3CLINGO-SUB%20id%3D%22lingo-sub-774250%22%20slang%3D%22en-US%22%3EMicrosoft%20to%20Require%20Multi-Factor%20Authentication%20for%20Cloud%20Solution%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-774250%22%20slang%3D%22en-US%22%3E%3CP%3EI%20just%20read%20this%20article%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fkrebsonsecurity.com%2F2019%2F06%2Fmicrosoft-to-require-multi-factor-authentication-for-cloud-solution-providers%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fkrebsonsecurity.com%2F2019%2F06%2Fmicrosoft-to-require-multi-factor-authentication-for-cloud-solution-providers%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20I%20understand%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20As%20a%20CSP%2C%20do%20I%20have%20to%20enable%20MFA%20for%20all%20users%20before%20August%201'st%3F%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20When%20was%20this%20new%20policy%20announced%3F%20I%20just%20read%20it%20and%20the%20article%20says%20just%20last%20month.%20How%20can%20CSP%20with%20hundreds%20of%20users%20be%20able%20to%20comply%20with%20this%20in%20just%20about%201%20month%20time%20in%20the%20middle%20of%20summer%20vacation%3F%20There%20must%20be%20something%20I%20misunderstand%20here.%20Maybe%20it's%20just%20admins%20for%20each%20tenants%3F%3C%2FP%3E%3CP%3E3.%20What%20happens%20if%20I%20miss%20the%20deadline%3F%20I%20can't%20envision%20me%20being%20able%20to%20reach%20all%20my%20clients%20in%20just%20a%20few%20days%2C%20especially%20when%20their%20on%20summer%20holiday.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20might%20be%20reading%20this%20all%20wrong%2C%20I%20hope%3B)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20is%20there%20a%20special%20forum%20for%20CSP%2C%20maybe%3F%20I%20can't%20see%20any%20label%20for%20CSP%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-774250%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-774327%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20to%20Require%20Multi-Factor%20Authentication%20for%20Cloud%20Solution%20Providers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-774327%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F342387%22%20target%3D%22_blank%22%3E%40famadorian%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESupporting%20articles%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpartner-center%2Fenable-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpartner-center%2Fenable-mfa%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fb0536220-cd80-469b-8573-bd300b50a956%2Fquestion-about-upcoming-csp-program-new-mandatory-security-requirements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2Fb0536220-cd80-469b-8573-bd300b50a956%2Fquestion-about-upcoming-csp-program-new-mandatory-security-requirements%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20answer%20your%20questions%3CBR%20%2F%3E%3CBR%20%2F%3E1.)%20No%2C%20you%20as%20the%20CSP%20have%20to%20enable%20MFA%20on%20your%20Partner%20Centre%20account%20which%20accesses%20your%20customers%20tenants.%20The%20customers%20do%20not%20have%20to%20do%20anything.%3CBR%20%2F%3E%3CBR%20%2F%3E2.)%20It%20was%20announced%20some%20time%20back%20-%20if%20memory%20serves%20me%20at%20the%20back%20end%20of%20last%20year.%20The%20official%20Microsoft%20supporting%20article's%20date%20is%2021st%20December%202018%20but%20it%20was%20a%20bit%20before%20this%20as%20shown%20in%20the%20second%20article%20dated%20November%202018.%20The%20original%20date%20of%20the%20enforcement%20was%20in%20February%20this%20year%20so%20it's%20already%20been%20pushed%20back%3CBR%20%2F%3E%3CBR%20%2F%3E3.)%20If%20you%20miss%20the%20deadline%20you%20will%20not%20be%20able%20to%20transact%20within%20the%20Partner%20Centre%20via%20the%20GUI%20or%20via%20API's%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20all%20came%20about%20because%20a%20well%20known%20US%20CSP%20was%20breached%20leading%20to%20the%20unauthorized%20access%20of%20customer%20tenants.%20I%20can't%20say%20for%20sure%20whether%20this%20was%20an%20isolated%20incident%20but%20was%20enough%20to%20force%20the%20change.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20CSP%20Yammer%20Community%20is%20in%20this%20Yammer%20group%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.yammer.com%2Foffice365partners%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.yammer.com%2Foffice365partners%3C%2FA%3E.%20However%2C%20it%20is%20a%20restricted%20group%20and%20you%20will%20need%20to%20apply%20on%20it%20for%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20questions!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I just read this article: 

 

https://krebsonsecurity.com/2019/06/microsoft-to-require-multi-factor-authentication-for-cloud-solut...

 

I'm not sure I understand it. 

 

1. As a CSP, do I have to enable MFA for all users before August 1'st? 

2. When was this new policy announced? I just read it and the article says just last month. How can CSP with hundreds of users be able to comply with this in just about 1 month time in the middle of summer vacation? There must be something I misunderstand here. Maybe it's just admins for each tenants?

3. What happens if I miss the deadline? I can't envision me being able to reach all my clients in just a few days, especially when their on summer holiday. 

 

I might be reading this all wrong, I hope;)

 

Also, is there a special forum for CSP, maybe? I can't see any label for CSP

1 Reply
Highlighted
Hi @famadorian

Supporting articles:
https://docs.microsoft.com/en-us/partner-center/enable-mfa
https://social.msdn.microsoft.com/Forums/en-US/b0536220-cd80-469b-8573-bd300b50a956/question-about-u...

To answer your questions

1.) No, you as the CSP have to enable MFA on your Partner Centre account which accesses your customers tenants. The customers do not have to do anything.

2.) It was announced some time back - if memory serves me at the back end of last year. The official Microsoft supporting article's date is 21st December 2018 but it was a bit before this as shown in the second article dated November 2018. The original date of the enforcement was in February this year so it's already been pushed back

3.) If you miss the deadline you will not be able to transact within the Partner Centre via the GUI or via API's

This all came about because a well known US CSP was breached leading to the unauthorized access of customer tenants. I can't say for sure whether this was an isolated incident but was enough to force the change.

The CSP Yammer Community is in this Yammer group: https://www.yammer.com/office365partners. However, it is a restricted group and you will need to apply on it for access.

Hope that answers your questions!

Best, Chris