Forum Discussion
Greg-Mega
May 21, 2025Copper Contributor
Requirement: Users with administrative roles in the customer tenants must use MFA
I have 4 customers who are showing as not meeting this requirement, I know one of the 4 that we're working with the customer to resolve but the other 3 I cannot for the life of me locate. The majority of our customers we are the sole admin so they are easy but when I click on Insights I get:
- No. of Admins with MFA enabled.
- No of Users With MFA Enabled.
- No of Users (this appears to includ blocked\disabled and maybe guests?)
I can't actually tell which tenant has an Admin with MFA not enabled from this data if they have more than one user with a privlidged role. So I created a spreadsheet and went through each tenant and within Entra I looked at their Identity Security Score and one of the requirements within their score is:
Ensure multifactor authentication is enabled for all users in administrative roles
And besides the one customer I know of who has an 8/10 score, all my other customers have a 10/10 score.
I've gone through each customer that I am aware of that could have more than one user with an admin role and any that were transferred to us from another CSP and looked at the Role assignments in Entra and I just cannot locate these remaining 3.
I'm stuck at at an overall Security Score of 71.43% becuase i can't get any of the 20 points for this requirements until its 100% complete.
What we really need is an additional column in the insights "No. of Admins" so we can at least identify the offending clients as without GDAP access to the customer I would not be able to look at any of the Role assignments or the tenant Identity Security Score and not even be aware of who is bringing me undone with the information provided.
I'm going to go through ALL customers again for the third time looking at role assignments for any that might have been missed on the first 2 passes I did, I might even get someone other than me to do it with fresh eyes but its pretty easy to locate as you can sort by the No. of Users assigned to the role so I can't see how I've missed it.
We really just need the tools to manage and audit ourselves e.g. that extra column, would make this a < 5 minute job to audit ourselves against this requirement and also I do beleive in this requirement is an important one, i'm not against it, it just needs to be managable\maintainable.
Response from the team: :)
How do I achieve a passing security score?
To achieve a passing security score, partners must complete the following mandatory security requirements:
- Enable MFA for all administrative roles (on the partner CSP tenant)
- Add a Security contact
- Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)
Is achieving an 80% secure score required to maintain CSP authorization?
No, achieving an 80% secure score is not required. However, partners must meet all mandatory security requirements to maintain their CSP authorization. These include:
- Enable MFA for all administrative roles (on the partner CSP tenant)
- Add a Security contact
- Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)
10 Replies
Sort By
- JillArmourMicrosoft
Community Manager
Response from the team: :)
How do I achieve a passing security score?
To achieve a passing security score, partners must complete the following mandatory security requirements:
- Enable MFA for all administrative roles (on the partner CSP tenant)
- Add a Security contact
- Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)
Is achieving an 80% secure score required to maintain CSP authorization?
No, achieving an 80% secure score is not required. However, partners must meet all mandatory security requirements to maintain their CSP authorization. These include:
- Enable MFA for all administrative roles (on the partner CSP tenant)
- Add a Security contact
- Respond to security alerts within 24 hours or less (applies to direct bill and distributor only)
- Greg-MegaCopper Contributor
This has changed my old copy of the CSP Authoizations One Pager that i just found says > 80 now it doesn't.
This is a screenshot i sent via email to staff from the original.
- Greg-MegaCopper Contributor
This has changed, the CSP Authoizations One Pager had "> 80" on it and now it doesn't.
- JillArmourMicrosoft
Community Manager
I am going to forward this to the team and see if they have any resources to share with you. -jill
- Greg-MegaCopper Contributor
Painfully, I have my problem solved for now but really these "Insights" are near useless, really need to see some improvements so they are actually even worth having.
- JuvalCopper Contributor
Did you Greg just manually go through all the clients as you said and tick a box on excel once that customer was reviewed? Or how did you end up going about this?
- JuvalCopper Contributor
Hi,
Really interested on what's the guidelines here from MS. I think the issue exists for direct bill partners too if i understood correctly.
- namlovely201180Copper Contributor
This requirement is absolutely insane. I'd really love to see how Microsoft expects us to hit 80 points on the Security score under these conditions. Topic Enable multifactor authentication for admin roles in the customer tenants I have over 13,227 customers, and 5,994 of them haven’t enabled MFA. As a distributor, I have zero authority to force end-customers to turn on MFA. Telling us to get them to enable it — how the hell are we supposed to do that? How exactly do you plan to solve this mess?
- Greg-MegaCopper Contributor
What a nightmare, not that they\we have to be compliant but that the "Insights" are near useless.
I had to use a spreadsheet to audit each client to work out what was going on in amungst a couple hundred clients to find those 4 admins, and in one case it was an exclusion in a conditional access policy and not getting caught by another policy (so no policy was applying). I think it took about 4 hours to find these 4 admins in amungst all my clients..
If it would list No of Admins (Total or Without MFA enabled) so I could do a 1 minute scan of all my clients, I would do this monthly or at least quarterly not just to stay on top of it but because its better practice to ensure compliance all the not just once a year on your anniversary month. This would also be great when you don't have Global Admin or GDAP access to audit role assignments and users.
I'm really hoping there are improvements here...