All indirect resellers enrolled in the CSP program are required to activate MFA for every user in partner tenant. The activation can be performed by leveraging two baseline policies, one for the admins and for end-user protection which is described as following:
There are a few things to take note before enabling the baseline policies:
- Legacy Authentication protocols do not support multi-factor authentication. Therefore you will need to block legacy authentication first, which is part of the baseline policy. If you have users or applications that are still using legacy authentication, you will need to move them from legacy to modern authentication. More details can be found here.
- MFA Enrolment in MFA will need to be completd within 14 days. All users are required to enrol in MFA via Authenticator app within 14 days of accessing an application after the baseline policy is enabled.
Once you are ready, you can following the links below to enable the baseline policies for admins and end users. The baseline policies would be available for all partners free of charge, the only action required is to just activate it on the tenant by going to the conditional access tab in Azure portal or admin center.
- MFA for admins: To secure the identities of the admin in the privileged role, a baseline policy needs to be activated for admins, which would result in these users being prompted with a second-factor challenge each time they perform a user login. More details can be found here.
- MFA for end users: The security requirement is not limited to the admins but extends to the end users, because these users can be a potential target to security vulnerabilities. The end user will be challenged for the second factor only in the scenario where a sign in risk is detected. More details can be found here.
For more details on how to setup MFA, please refer to https://www.microsoft.com/en-us/microsoft-365/blog/2014/02/10/multi-factor-authentication-for-office-365/.
You can also download the rollout materials for Multi-factor authentication from Microsoft here.