Enable MFA when a delegated partner (CSP) accesses a customer tenant
We have enabled MFA for users in the AAD tenant associated with our CSP enrollment. MFA works properly when we access the Partner Center portal; however, MFA does not work when we directly access a customer tenant, e.g., Azure Management Portal, using our CSP tenant credentials. For example, accessing https://portal.azure.com/ using our CSP credentials invokes MFA but accessing https://portal.azure.com/<customer_tenant> using the same credentials does not.
According to Microsoft support, this is because MFA can only be triggered for users in the AAD tenant, not the partner's CSP tenant.
Mats Gustafsson commented
This flaw also completely breaks the new CSP partner security requirements.
we are required to protect our accounts and also all guest accounts in our tenant when accessing services in the Microsoft commercial cloud. If this is not addressed all measure we take to protect our tenant is in vain. Here is a backdoor into the our client tenants that needs to be fixed.
Olav Rønnestad Birkeland commented
This is a serious design flaw. Not only can you access a customer tenant using Tenant ID and *.onmicrosoft.com address. You can also use ANY custom domain the customer might have tied to their Azure Tenant.
If someone hack my CSP Admin username and password, he essentially have access to over hundred tenants as Global Admin in Azure AD, and Owner on all subscriptions we provide them.
Jeff G's workaround only secures the Azure portal. What about Graph, Office 365, PowerShell modules and more? Theres a gaping security hole here, that Microsoft needs to do something about ASAP.
Andrew Fry commented
Jeff's workaround is okay, but not a sufficient solution to ensure expected behavior as I've seen it across other delegated portal logins. If you login to a delegated O365 portal you'll be prompted for MFA if it's configured on your account. It's incredibly important from a Direct CSP partner perspective as selling Azure subscriptions requires utilizing the Global Admin level of AOBO privileges to assign client users to subscriptions after deployment. This is a serious oversight for accounts that have full access privileges into multiple tenants and subscriptions. Especially when you're selling to Government tenants.
Jeff G commented
Here's a workaround for this: http://jeffgraves.me/2018/03/12/enforcing-mfa-for-partner-aad-tenant-in-csp/
Jon Espen Carlsen commented
Then the MFA should be triggered when signing on with the CSP-tenant identity, which it isn't. Obviously this must be a mistake - it strips away any security measures in place for a CSP-tenant.