New Security Requirements
for the Cloud Solution
Provider (CSP) program
Frequently Asked Questions (FAQ)
Frequently Asked Questions (FAQs)
Revision Sheet
Change Record
Date
Author
Version
Change Reference
The information provided in this document is provided "as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In
no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have
been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Table of Contents
1
Introduction ............................................................................................................................................ 2
1.1
Why is Microsoft implementing these new requirements?............................................................................. 2
1.2
Our company already applied industry best practices to keep our system secure. Why should I
implement these requirements?................................................................................................................................................ 2
2
3
1.3
What will happen if I do not take any actions? .................................................................................................... 3
1.4
How do I join the Partner Center security guidance Yammer?...................................................................... 3
Secure Application Model FAQs ...................................................................................................... 3
2.1
What is the new secure application model? ......................................................................................................... 3
2.2
What actions do I need to take to implement a secure applications model? ......................................... 3
2.3
When do I need to implement a secure applications model? ....................................................................... 4
2.4
Who is a control panel vendor (CPV)? ..................................................................................................................... 4
2.5
How do I know if my control panel vendor (CPV) is working on implementing the solution or
not?
4
Multi-Factor Authentication (MFA) FAQs..................................................................................... 5
3.1
What is Multi-Factor Authentication (MFA)? ........................................................................................................ 5
3.2
What actions do I need to take to implement a multi-factor authentication (MFA) solution? ........ 5
3.3
When do I need to implement a Multi-Factor Authentication (MFA) solution? ..................................... 5
3.4
I use multiple tenants to transact, do I need to implement a Multi-Factor Authentication (MFA)
solution on them all? ..................................................................................................................................................................... 6
3.5
If my company transacts through the CSP program in multiple countries, how will implementing
a Multi-Factor Authentication (MFA) solution work? ........................................................................................................ 6
3.6
I am a Direct Bill partner with Microsoft. Do I still have to do this? ............................................................ 6
3.7
I am an Indirect Reseller and only transact though a distributor. Do I still have to do this? ............ 6
3.8
Should I use or purchase Microsoft Azure Active Directory (AAD) premium? ........................................ 6
3.9
Which vendors provide Multi-Factor Authentication (MFA) solutions compatible with Microsoft
Azure Active Directory (AAD). .................................................................................................................................................... 6
3.10
I already have implemented a Multi-Factor Authentication (MFA) solution in our environment,
what should I do? ............................................................................................................................................................................ 7
Page 1
New Security Requirements for the CSP program
1
Introduction
Cybersecurity is the central challenge of our digital age. Microsoft is committed to providing a
trusted set of cloud services and platforms. We invest heavily in our technology, people, and
processes to help ensure that customers’ as well as partners’ data is private and protected from
unauthorized access, both internally and externally.
1.1
Why is Microsoft implementing these new requirements?
Microsoft is committed to providing a trusted set of cloud services and platforms. We have
noticed an increasing number of security breaches and fraud incidents in the industry. As our
Cloud Solution Provider program ecosystem grows, we are extending our security best practices
to our partner ecosystem, and introducing new mandatory security requirements that help
protect our partners in the CSP program ecosystem as well as customers from unexpected
security risks and financial damages caused by unauthorized access.
The new mandatory security requirements include:
1.
Enabling a new secure application model to integrate with Partner Center APIs.
Effective date starts December 11, 2018.
2.
Adopting and enabling Multi-Factor Authentication (MFA) to access Partner Center
API and Partner Center Dashboard. Enforcement date begins February 4, 2019.
Enabling a new security model will allow partners transacting in the CSP program to activate a
more secure access to Partner Center APIs with enhanced identity protection features. This
secure application model helps partners to further secure credentials and reduce the potential
financial and branding damages caused by unauthorized access. These requirements empowers
all parties, including partners in the CSP program as well as control panel vendors (CPV), to
protect their infrastructure as well as customer data from unauthorized access and unintended
security risks such as identify theft or other fraud incidents.
1.2 Our company already applied industry best practices to keep our
system secure. Why should I implement these requirements?
CSP partners must meet these requirements before the effective dates. Microsoft is committed
to providing a trusted set of cloud services and platforms. As our Cloud Solution Provider (CSP)
program grows, we are extending our security best practices and features available on Microsoft
Partner Center to our partner ecosystem.
Page 2
New Security Requirements for the CSP program
1.3
What will happen if I do not take any actions?
Failure in implementing these changes may impact partner’s ability to transact through the
Cloud Solution Provider (CSP) program via Partner Center API and Partner Center Dashboard.
1.4
How do I join the Partner Center security guidance Yammer?
A Partner Center security guidance Yammer group is available for discussion on the technical
requirements of these new security requirements. To join, users must follow the steps below:
1. Join the open network.
2. Join either the CSP Yammer Partner Community (for direct bill partners) or the CSP
Indirect Partner Group (for indirect partners).
3. Request to join the Partner Center security guidance Yammer group.
2
Secure Application Model FAQs
2.1
What is the new secure application model?
Microsoft is introducing a secure, scalable framework for authenticating Cloud Solution Provider
(CSP) partners and control panel vendors (CPV) through the Microsoft Azure multi-factor
authentication (MFA) architecture. CSP partners and CPVs can rely on the new secure application
model to elevate security for Partner Center API integration.
Further detail is available within the secure application model guide.
2.2
What actions do I need to take to implement a secure applications
model?
Cloud Solution Provider (CSP) partners and control panel vendors (CPV) need to apply the new
secure application model before effective date December 11, 2018. The following actions are
required:
Partner scenarios
Partners using Partner Center
APIs directly
Actions required
•
(Indirect providers or direct
bill partners)
Start implementing this requirement immediately.
Refer to the Partner Center: secure applications
model guide.
Page 3
New Security Requirements for the CSP program
Control panel vendors (CPV)
integrating with Partner
Center APIs
Partners using control panel
vendor solutions
2.3
•
On-board to Partner Center as a control panel
vendor. On-boarding tooling and process will be
ready by early December. More information to come.
o
Start implementing this requirement immediately.
Refer to the Partner Center: secure applications
model guide.
o
Accept and manage CSP partners’ consent instead of
credentials
o
Purge all existing CSP partners’ credentials
•
Consult with your control panel providers to adopt
the new security application model.
When do I need to implement a secure applications model?
Partners must complete this action by the effective date, December 11, 2018.
2.4
Who is a control panel vendor (CPV)?
A Control Panel vendor is an independent software vendor that develops apps for use by CSP
Partners to integrate with Partner Center APIs. A Control Panel vendor is not a CSP Partner with
direct access to Partner Center dashboard or APIs. A detailed description is available within the
Partner Center: secure application model guide.
2.5
How do I know if my control panel vendor (CPV) is working on
implementing the solution or not?
For partners using a control panel vendor (CPV) solution to transact in the Cloud Solution
Provider (CSP) program, it is your responsibility to consult with your CPV to meet this
requirement.
Page 4
New Security Requirements for the CSP program
3
Multi-Factor Authentication (MFA) FAQs
3.1
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security mechanism in which individuals are
authenticated through more than one required security and validation procedure. It works by
requiring two or more of the following authentication methods:
•
Something you know (typically a password)
•
Something you have (a trusted device that is not easily duplicated, like a phone)
•
Something you are (biometrics)
3.2
What actions do I need to take to implement a multi-factor
authentication (MFA) solution?
Cloud Solution Provider (CSP) partners and control panel vendors (CPV) need to adopt a MultiFactor Authentication (MFA) solution before effective date February 4, 2019. The MFA solution
must be compatible with Azure Active Directory (AAD). The following actions are required:
Partner scenarios
Partners using Partner Center
APIs or Dashboard
Actions required
•
Implement a MFA solution to access Partner Center
APIs or Dashboard
Control panel vendors (CPV)
integrating with Partner
Center APIs
•
Implement a MFA solution to access Partner Center
APIs or Sandbox Dashboard
Partners using control panel
vendor solutions
•
Implement a MFA solution to access Partner Center
APIs or Dashboard
(Indirect providers, direct bill
partners or resellers)
3.3
When do I need to implement a Multi-Factor Authentication (MFA)
solution?
Partners must complete this action by the effective date, February 4, 2019.
Page 5
New Security Requirements for the CSP program
3.4
I use multiple tenants to transact, do I need to implement a MultiFactor Authentication (MFA) solution on them all?
Yes. A Multi-Factor Authentication (MFA) solution must be implemented on all active Cloud
Solution Provider (CSP) tenants a partner uses.
3.5
If my company transacts through the CSP program in multiple
countries, how will implementing a Multi-Factor Authentication
(MFA) solution work?
A Multi-Factor Authentication (MFA) solution must be implemented on all active Cloud Solution
Provider (CSP) tenants a partner uses.
3.6
I am a Direct Bill partner with Microsoft. Do I still have to do this?
Yes. Direct Bill Cloud Solution Provider (CSP) partners need to implement a Multi-Factor
Authentication (MFA) solution before the effective date, February 4, 2019.
3.7
I am an Indirect Reseller and only transact though a distributor. Do I
still have to do this?
For Cloud Solution Provider (CSP) partners transacting through a distributor, the distributor is
responsible for implementing a Multi-Factor Authentication (MFA) solution.  All partners who
access Partner Center Dashboard themselves must implement a MFA solution.
3.8
Should I use or purchase Microsoft Azure Active Directory (AAD)
premium?
Microsoft allows you to choose among the various Multi-Factor Authentication (MFA) solutions
available on the market to best fit your business needs.  Partners can choose any MFA solutions
that are compatible with Azure Active Directory (AAD). Microsoft Azure Active Directory (AAD)
premium is one of several options available which provide advanced Multi-Factor Authentication
(MFA) capabilities.
3.9
Which vendors provide Multi-Factor Authentication (MFA) solutions
compatible with Microsoft Azure Active Directory (AAD).
There are many independent reviews of MFA solutions online, such as Gartner. When reviewing
MFA vendors and solutions, partners must ensure the solution they choose is compatible with
Azure Active Directory (AAD).
Page 6
New Security Requirements for the CSP program
3.10
I already have implemented a Multi-Factor Authentication (MFA)
solution in our environment, what should I do?
Partners should check their Multi-Factor Authentication (MFA) solution is supported by
Microsoft Azure Active Directory (AAD).
Page 7
New Security Requirements for the CSP program