CSP security best practices

All partners in the Cloud Solution Provider (CSP) program accessing Partner Center and Partner Center APIs should follow the security guidance in this article to protect themselves and customers.

For customer security, see Customer security best practices.

Important

Azure Active Directory (Azure AD) Graph is deprecated as of June 30, 2023. Going forward, we're making no further investments in Azure AD Graph. Azure AD Graph APIs have no SLA or maintenance commitment beyond security-related fixes. Investments in new features and functionalities will only be made in Microsoft Graph.

We'll retire Azure AD Graph in incremental steps so that you have sufficient time to migrate your applications to Microsoft Graph APIs. At a later date that we will announce, we will block the creation of any new applications using Azure AD Graph.

To learn more, see Important: Azure AD Graph Retirement and Powershell Module Deprecation.

Identity best practices

Require multifactor authentication

  • Ensure that all users in your Partner Center tenants and your customer tenants are registered for and require multifactor authentication (MFA). There are various ways to configure MFA. Choose the method that applies to the tenant you're configuring:
    • My Partner Center/Customer's tenant has Microsoft Entra ID P1
    • My Partner Center/Customer's tenant has Microsoft Entra ID P2
  • Ensure that the MFA method used is phishing-resistant. You can do so by using passwordless authentication or number matching.
  • If a customer refuses to use MFA, don't provide them either any administrator role access to Microsoft Entra ID, or write permissions to Azure Subscriptions.

App access

Least privilege / No standing access

  • Users who have Microsoft Entra administrative roles such as Global admin or Security admin shouldn't regularly use those accounts for email and collaboration. Create a separate user account with no Microsoft Entra administrative roles for collaboration tasks.
  • Review the Admin agent group and remove people who don't need access.
  • Regularly review administrative role access in Microsoft Entra ID, and limit access to as few accounts as possible. For more information, see Microsoft Entra built-in roles.
  • Users who leave the company or change roles within the company should be removed from Partner Center access.
  • If you have Microsoft Entra ID P2, use Privileged Identity Management (PIM) to enforce just-in-time (JIT) access. Use dual custody to review and approve access for Microsoft Entra administrator roles and Partner Center roles.
  • For securing privileged roles, see Securing privileged access overview.
  • Regularly review access to customer environments.

Identity isolation

  • Avoid hosting your Partner Center instance in the same Microsoft Entra tenant that hosts your internal IT services, such as email and collaboration tools.
  • Use separate, dedicated user accounts for Partner Center privileged users who have customer access.
  • Avoid creating user accounts in customer Microsoft Entra tenants intended to be used by partners to administer the customer tenant and related apps and services.

Devices best practices

  • Only allow Partner Center and customer tenant access from registered, healthy workstations that have managed security baselines and are monitored for security risks.
  • For Partner Center users with privileged access to customer environments, consider requiring dedicated workstations (virtual or physical) for those users to access customer environments. For more information, see Securing privileged access.

Monitoring best practices

Partner Center APIs

  • All Control Panel vendors should Enable the secure application model and turn on logging for every user activity.
  • Control Panel vendors should enable auditing of every partner agent logging into the application and all actions taken.

Sign-in monitoring and auditing

  • Partners with a Microsoft Entra ID P2 license automatically qualify to keep audit and sign-in log data up to 30 days.

    Confirm that:

    • Audit logging is in place where delegated administrator accounts are used.
    • Logs are capturing the maximum level of details provided by the service.
    • Logs are retained for an acceptable period (up to 30 days) that allows for detection of anomalous activity.

    Detailed audit logging might require purchasing more services. For more information, see How long does Microsoft Entra ID store reporting data?

  • Regularly review and verify password recovery email addresses and phone numbers within Microsoft Entra ID for all users with the Global admin roles, and update if necessary.

    • If a customer’s tenant is compromised: the CSP Direct Bill Partner, the Indirect Provider, or your Indirect Reseller can't contact support requesting an Administrator password change in the customer’s tenant. The Customer must call Microsoft support by following the instructions in the topic Reset my admin password. The Reset my admin password topic has link that customers can use to call Microsoft Support. Instruct the Customer to mention that the CSP no longer has access to their tenant to assist with resetting the password. The CSP should consider suspending the customer's subscriptions until access is regained and the offending parties are removed.
  • Implement audit logging best practices and perform routine review of activity performed by delegated administrator accounts.

  • Partners should review the risky users report within their environment and address the accounts that are detected to present risk according to published guidance.