June 28, 2019

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors.

When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup.

But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.

This is exactly what happened with a company whose email systems were rifled through by intruders who broke into PCM Inc., the world’s sixth-largest CSP. The firm had partnered with PCM because doing so was far cheaper than simply purchasing licenses directly from Microsoft, but its security team was unaware that a PCM employee or contractor maintained full access to all of their employees’email and documents in Office365.

As it happened, the PCM employee was not using multi-factor authentication. And when that PCM employee’s account got hacked, so too did many other PCM customers.

KrebsOnSecurity pinged Microsoft this week to inquire whether there was anything the company could be doing to better explain this risk to customers and CSP partners. In response, Microsoft said while its guidance has always been for partners to enable and require multi-factor authentication for all administrators or agent users in the partner tenants, it would soon be making it mandatory.

“To help safeguard customers and partners, we are introducing new mandatory security requirements for the partners participating in the Cloud Solution Provider (CSP) program, Control Panel Vendors, and Advisor partners,” Microsoft said in a statement provided to KrebsOnSecurity.

“This includes enforcing multi-factor authentication for all users in the partner tenants and adopting secure application model for their API integration with Microsoft,” the statement continues. “We have notified partners of these changes and enforcement will roll out over the next several months.”

Microsoft said customers can check or remove a partner’s delegated administration privileges from their tenants at any time, and that guidance on how do do this is available here and here.

This is a welcome — if long overdue — change. Countless data breaches are tied to weak or default settings. Whether we’re talking about unnecessary software features turned on, hard-coded passwords, or key security settings that are optional, defaults matter tremendously because far too many people never change them — or they simply aren’t aware that they exist.


54 thoughts on “Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

  1. Steve Johnson

    Thank you for sharing this information. Curious if our MSP has access other than adding licenses. We do not see them as Global Admins in our tenant.

    1. Dave_Sec

      If you have a Partnership set up in your Azure tenant your CSP has access to change your Global Admin account.. I know this because I saw unexplained activity where someone used a PCM Partner account to change the Global Admin Account password. This PCM story is being under reported and the threat it is causing and probably continues. The Partnership account does not show up anywhere in your tenant and has rights to do a lot more than reconcile licenses. Hackers have figured it out and are probably already in a number of tenants. If you have a Partnership set up kill it and assume you are owned. PCM and Microsoft have worked very hard to sweep this under the rug.

      1. Tans

        Thats not true, csp partners show up as guest users and are clearly show up in tenants.

        1. Jason

          That’s not true as well Tans.

          Partners show up on the delegates administration page. I am a partner myself and none of our staff have guest accounts in our customer tenants. We use delegated administration to logon to our customer tenants.

          We also use the global admin account from time-to-time because certain things we need to do for support can’t be done with delegates admin. For example, if we want to configure mfa for a user we need to logon with a global admin.

  2. ChrisSuperPogi

    This is a very positive news that is long overdue.

    Kudos to Microsoft and Thanks Brian for the report!

    1. Jeff G

      Another example of Microsoft working towards being “the last to cool”…

  3. JCitizen

    Better late than never, I guess – thanks for all the work you do Brian!

  4. The Sunshine State

    All internet facing online accounts that require a log in of some type , including 100 percent of all banks, should be using multi-factor authentication by users

    It should be mandatory by the website during the set up process of the online account to set up 2FA.

    1. Howard

      I get that, and I totally agree, but I think a lot of companies weigh convenience of their users over security–unfortunately. The average security-ignorant user is only going to think that multiple steps just to sign in their bank is inconvenient. “I’m only signing in to check how much money my wife racked up from Target in June, why do I need to go through all this extra nonsense?!” I think it’s on the company, like you said, during setup to enforce this, though. Realistically, if given the option, how many users are going to actually sign and setup their 2FA after-the-fact? Probably none. That’s why I think your method works. Maybe there can be a little text-box saying something like, “We care for your security, which is why we require you to setup 2FA. 2FA just simply means ‘x’ and will prevent hackers from ‘y’.” It doesn’t need to be anything spectacular, just enough to get the point across that 2FA is much more secure than traditional means.

      1. Christoph

        Customers unfortunately only see the added inconvenience of 2FA and if anything happened because they did not use it when offered, they expect to be held harmless anyway.
        Mandating it can be quite a “fun” experience. In Europe, the 2FA requirements for electronic payments is coming into effect in September and one mayor change is that customers will now require 2FA even to log into their bank account to view information (previously only one factor required at least in my country, YMMV in other EU states), although they can choose to pause 2FA then for up to 90 days.

        Effects?
        Little of the narrative in the press is about how this makes online banking and card payments safer, most is about how everything is becoming more complicated.
        Customers complain about how everything is getting more complicated and they can no longer give their online banking credentials to that friendy fintech account aggregating app and instead have to authorize their access seperately (think “application specific passwords” kondof).
        Fintechs complain about how this is all an evil plot by the finance industry to cut them off from hoovering all customers data through screen scraping access through the bank website.

        Why don´t consumers see the need for 2FA, mostly? Because by law they will be held harmless anyway, unless malicious intent or gross negligence can be proven. Oh and giving your credentials to that friendly startup with the cool account-aggregating app is not gross negligence, because the monopolies comission ruled it was an unlawful banking cartel decision to include a prohibition re. credential sharing in their online banking T&Cs (again, in my country, the other 26 states may differ).

    2. Catwhisperer

      I would also caution about using 2FA without a backup method to get into the account. I got burned recently with a hosting provider to turn off 2FA temporarily, to the tune of $80, when I had a problem with Google Authenticator. Took me over a week to resolve the problem.

      Just remember that that smartphone can be dropped, run over, be reset or destroyed via some other method and if Google Authenticator, Authy, or whatever you are using for 2FA is on it, guess what? As the tuna guy says, Sorry Charlie!

      1. Hodge

        Google actually gives you a certain amount of OTPs for logging in without 2FA for this very reason.

  5. JellyK

    I guess what I don’t understand is how PCM is still allowed to be a CSP. The whole reason MS started the CSP program is because they didn’t want to directly support customers, but they never made it clear that CSPs would be any less secure than going straight through MS. I know that support technicians on MS front lines do not have access to customer data but they never really spell that out for CSPs. MS should show that they actually care about security and bring down the ban hammer on PCM. Make them an example of what not to do. But of course that’s never going to happen.

  6. Phil

    Thank you Brian. Please don’t say you “pinged” Microsoft. Reached out is more than fine.

      1. AB

        @Bob

        Because everyone should know you can’t ping Microsoft

        C:\>ping microsoft.com

        Pinging microsoft.com [40.76.4.15] with 32 bytes of data:
        Request timed out.
        Request timed out.
        Request timed out.
        Request timed out.

        Ping statistics for 40.76.4.15:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

        1. Clay_T

          hehe…

          Also:
          Give me a ping, Vasili. One ping only, please.

    1. Readership1

      +1

      Pinging is not, and never will be, a colloquialism for contact involving a human response.

        1. Readership1

          I hear you, but it still sounds silly.

          1. Jeff G.

            Do you also yell at clouds as they float by?

            1. JimV

              Perchance he might be more of a ‘moon-howl’ sort…?

            2. Readership1

              Clouds do not bother me, because I am such a big ray of sunshine.

      1. parabarbarian

        A lot of non-technical people use technical words to sound more sophisticated then they really are. Use a buzzword to camouflage ignorance. Years ago a manager told me ina meeting to “interface” with someone. This was back when interface usually meant putting a male connector into a female one. I knew what he meant but the jokes from the systems and network admins about such an “edgy” usage were epic.

        Gotta wonder what the timeout is for a person to person “ping” request.

      2. Anon404

        “and never will be”

        Well, for one youre wrong, it already is a colloquialism for reach out to someone, sorry but I think you are a bit behind the times. Also, who died and made you the ultimate authority on what will ever be used as a colloquialism? Might want to get off your high horse.

      3. Christoph

        I guess the old UNIX-style term of “to finger someone” (to get their contact Details or so) is no longer safe to use these days as opposed to pinging.

    2. Phil Needs to Chill

      Yur the kind a guy too kurrect everyones grammer miss-takes, huh. Their ya go. have fun Fill. U sound like you’re life iz boring.

  7. Louis Leahy

    Unfortunately 2fa is not going to stop the attacks it will make it more difficult but not that much. This article in NYT gives a good explanation https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html?emc=edit_th_190128&nl=todaysheadlines&nlid=720523760128
    also we have prepared a video that explains the issues
    https://www.youtube.com/watch?v=d25IrxV50lU&t=5s
    What Microsoft and other cloud service providers and all institutions that are providing services to the public on the internet for that matter need to do is replace their legacy user name and password configuration with multilevel authentication.

  8. Dave

    Let’s hope others, especially the larger IT firms, follow suit.

  9. SWICKtech Isaac

    This is welcome news and will improve security for lots more orgs.

    We started our effort last year and already have MFA, auditing, and proactive/predictive alerting enabled across our entire company and CSP accounts.

    We are now working with customers to spread MFA and additional security across their organizations.

    Most people welcome it and feel better afterward.

  10. Red

    I agree that MFA should be mandatory everywhere but it should be made easier. How about “Yes or No” instead of other sites verification which sometimes consists of cumbersome 10-digit numbers to enter.

    This won’t stop the madness (see the recent blockchain typosquatting arrests) but it’s long overdue..

    1. Kirk

      an Accept/Deny response is possible if you use the MS Authenticator app. Much easier than retyping a code.

  11. bikebrains

    There is a 2FA system where the second factor is the use of the cookie. Thus the call to the authorized phone to enter system generated code is done only once because the approval is stored in the cookie. The PC becomes the second factor. This system may be adequate for home use but NSFW. The way to return to a pure 2FA is to delete the cookie prior to going to lunch or at EOD.

    1. Joe

      There is an ongoing fight for many providers to call things MFA or 2FA… that were never and should never be called that.

      No, a cookie isn’t an authentication factor. It doesn’t meet any legit criteria to be one. It isn’t something you have, even though it might seem like it to a layperson. It has to be tied to something non-exportable and tamper resistant. A physical token is really the true definition. The TPM chip “can be” considered a token (if the resource being protected isn’t the laptop itself).

      The whole problem with SMS is the layer of abstraction between a phone number and the phone. The “phone” is a physical device that can be considered the “possession factor”. But the phone number is exPortable by your carrier. Which is why SMS isn’t secure, because the entire security of all your MFA protected accounts can be bypassed by some teenager at the AT&T store.

      A cookie is NOT an authentication factor, but rather a static placeholder representation of a previous authentication method. Something that “should be” temporary and contextual (used only from that IP Address, etc). But there is no way to get a cookie without an actual authentication first.

  12. MJ

    When you attach a CSP to your o365 tenant, there are numerous warnings that this provides them administrative access. However, only the global admin who sets up the partner access sees the warning. The admin access isn’t required for licensing. I went through this recently and had no interest in providing admin access to the CSP.

    Turns out you don’t have to, if all you’re doing is purchasing licensing. You connect them, they set you up in the partner license console, then you revoke the access. They’ll continue to be able to sell you licenses. You do need a CSP who knows what they’re doing.

    Partner access, doesn’t show in the regular User view, but it does show under “Billing” in the admin portal, including the admin level the partner has. If you’re not sure, goto the office admin panel, select Billing, Billing Accounts, then the tab “Partner Accounts”

    Between PCM, and HP, beware your CSP, MSP provider. If you just purchase licenses from a CSP, revoke their admin access. Much like reviewing admin accounts, don’t forget to review partner access and ensure the level is appropriate for the service provided. MS could do a better job here.

  13. Brian Cummings

    We should be thinking U2F now, not 2FA

    1. Readership1

      Don’t get carried away. The greater the annoyance, the lower the compliance.

      It’s only a matter of time before someone automates the remote insertion of security keys or raises human clones to ensure biometrically locked data remain accessible into perpetuity.

      P.S. to BK, I was right about the fake restaurant sites. Check your email

      1. BrianKrebs Post author

        Good for the NYPost. I contacted all of the stores we discussed, and I could not verify anything was amiss at the time.

        1. Readership1

          One man can’t catch every fish. Next time.

  14. Daniel Dickens

    This is a welcome mandate, but in addition, I would like to see a requirement for U2F as the default standard to combat real-word MFA attacks such as Man-in-the-Middle, etc.

  15. Kenny

    I could go on and on about weaknesses in how Microsoft designed security around CSPs’ access to customers’ tenants/subscriptions but here are three big ones:
    1. Some critical features can’t be administered via Delegated Admin Privileges. This results in CSPs creating shared Global Admin accounts in customers’ tenants with MFA disabled.
    2. MFA is bypassed when a CSP user accesses a customer tenant directly through the Azure portal, i.e., https://portal.azure.com/.
    3. The role based access model in Partner Center is horribly insufficient. There are only 3 roles: Helpdesk Agent, Sales Agent, and Admin Agent. Probably just about every MS partner employee is an Admin Agent which gives them Owner equivalence in customers’ Azure subscriptions.

    1. Kenny

      Minor clarification…MFA is bypassed when a CSP user accesses the customer tenant directly which can be done by appending the customer tenant name to the azure portal url.

  16. Dianne Williams

    I am wondering how it’s going to work for for service providers who do support remotely. I often logon my clients pc’s and get into Outlook etc. to troubleshoot issues for them (at their request) how will I still be able to access my clients applications if they are using mfa?

    1. Kenny

      Dianne, this new requirement for CSPs is related to the delegated admin privileges those partners have to their customers’ subscriptions/tenants through the MS Partner portal. Sounds like the scenario you’re bringing up is where you want to log in with your clients’ end-user accounts to troubleshoot user- or profile-based issues. I would never let a client provide me with their password. I’d have the client log in and then do a screen share. If absolutely necessary to log in as the user, I would (with client consent) reset the password so that action is logged to my admin account. When done, I’d set “force password change on next logon” on the end-user account. I don’t mean to be unsympathetic (I’ve been a service provider for 20+ years so I understand it’s a hassle), but if MFA prevents users from letting you or others log in with their accounts, good. It reduces risk to you and the client.

  17. spagafus

    “providers”, “partners”, “experts”. Keep in mind these outfits always hire the cheapest and minimally qualified staff in pursuit of the highest profit margin. They undercut each other as much as possible and as with any lowest bid contract you get what you pay for.

    1. Hubris

      You have that backwards. SIM transfers allow bypass of both single-factor authentication and SMS-based MFA. Using MFA, including SMS-based MFA, doesn’t allow a SIMtransfer to occur.

  18. Zappedia

    Impressive post!!! Because the security requirements apply to all users in a partner directory, several considerations need to be made to ensure a smooth deployment.

  19. cyber security services

    Thanks for providing a focal point for security information. I’m currently learning about the IT world through education and professional development. I would like to know your thoughts on what someone who is weak in the IT field should focus on when learning about security. It is obvious that it is an important part, but as someone aspiring to be a potential manager I’m curious about what areas are most important to focus on. Thanks for your input.

Comments are closed.