Cybersecurity continues to be one of the top challenges of our digital age. We frequently see media reports on security incidents across all industries and around the globe, with more sophisticated attack techniques, such as supply chain attacks, phishing, and others continuing to evolve. The impact of a security incident on an organization averages several million dollars, and more serious events can cost hundreds of millions of dollars.
Microsoft is committed to providing trusted cloud services and platforms. Prevention is truly the best defense, and we’re only as strong as our weakest link. That’s why we’re introducing new mandatory security requirements for all partners participating in the Cloud Solution Provider program who use Microsoft commercial cloud services to transact. Partners like you are required to take action and make sure you have appropriate security protections in place.
If you’re a partner participating in the Cloud Solution Provider program, a Control Panel Vendor, or an Advisor partner, we recommend you take these actions now:
1. Enforce multi-factor authentication for all users in your tenants.
All users in your tenants must use multi-factor authentication when signing in to Microsoft commercial cloud services or to transact in the Cloud Solution Provider program through Partner Center or via APIs. Baseline protection policies that include multi-factor authentication are available at no cost for all the users in your tenants.
2. Adopt the Secure Application Model framework.
If you’re integrating with a Microsoft API, such as Azure Resource Manager, Microsoft Graph, or the Partner Center API, you must adopt the Secure Application Model framework to avoid any disruption to your integration when the baseline policies are enabled.
If you transact in the Cloud Solution Provider program, enabling the Secure Application Model framework will give you more secure access to Partner Center APIs with enhanced identity-protection features. The model can also help you further secure credentials and reduce the financial and branding damages potentially caused by unauthorized access.
The terms associated with these new requirements were added to the Cloud Solution Provider Program Guide and will go into effect August 1, 2019, at which time you’ll be contractually obligated to follow the new standards.
If you don’t meet the new requirements, your future ability to transact in the Cloud Solution Provider program or manage customer tenants through delegate admin rights will be affected once the requirements are technically enforced. We’re working on establishing an enforcement date and will notify you as soon as we do.
We appreciate our partners who’ve implemented the new requirements. If you haven’t yet, please start immediately. These resources can help:
- Partner security requirements implementation step-by-step guide
- Partner security requirements frequently asked questions
- Partner Center Security Guidance community group
- Office hours with technical experts
- Partner security requirements resources gallery
Thank you for your partnership and commitment to ensuring our ecosystem runs on trust.