View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
July 3, 2019

Microsoft Makes MFA Mandatory for Resellers

"We are enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft"

By CBR Staff Writer

Microsoft has confirmed that it will introduce mandatory Multi-Factor Authentication (MFA) for its Cloud Solution Provider (CSP) programme and other partners.

A Microsoft spokesperson told Computer Business Review that: “We are introducing new mandatory security requirements for the partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners.”

” This includes enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft.”

Microsoft expects the policy change will be rolled out over the coming months. They say that they have informed partners of the changes and will begin enforcement soon.

Read the NCSC’s Guide to Multi-Factor Authentification Here

CSPs are licence partners and resellers who help organisations set up and operate their Office365 and Azure accounts, among other Microsoft services.

Typically, when companies buy licenses from partners who are reselling Microsoft products, those partners are granted administrative privileges as these are required to setup the company’s administrator accounts.

A subsequent risk: if the account of an admin at the CSP is compromised, this may lead to a threat actor gaining full access to all of its data files and communications, due to a lack of security layers such as MFA.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Microsoft Multi-Factor Authentication Follows Others

Multi-factor authentication/two-factor authentication (2FA) are increasing being made mandatory by organisations as they try to counteract the prevalence of phishing attacks and automated bot networks orchestrating credential stuffing attacks.

The use of MFA is highly recommended by organisations including the National Cyber Security Centre (NCSC), which notes: “The bad guys have got really good at compromising passwords and they have a lot of tools at their disposal.”

“Using a separate password for every service protects you against some of these, but not all, and it’s impossible for someone to do this across all their passwords without help of some kind. Multi-factor authentication (MFA), on the other hand, buys a lot of additional security for relatively little pain, and this is always going to be a good thing.”

Microsoft Multi-Factor Authentication

In 2017 Google pushed all of its employees to use 2FA security methods and issued nearly all of its employees with USB-based 2FA keys. These keys replaced one-time codes and password security as the norm at Google. These security measures appear to have been highly successful as Google stated last year that none of its employees, numbering above 85,000 at the time, had fallen victim to a phishing attack.

Arnar Birgisson Software Engineer & Christiaan Brand, Product Manager commented in a security blog that: “At Google, we automatically block the overwhelming majority of malicious sign-in attempts (even if an attacker has your username or password), but an additional layer of protection can be helpful.”

“While any form of 2SV, like SMS text message codes and push notifications, improves the security of your account, sophisticated attackers can skirt around them by targeting you with a fake sign-in page to steal your credentials.”

See Also: Redis Overload to Blame for 17-Hour Azure MFA Login Crisis

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU