MFA Setup and Security requirements to integrate Work 365 with Partner Center

The following must be available and configured before the installation process begins.

Requirement	Comments
For 1-Tier (Direct Bill) partners only: A separate account in Partner Center ([email protected]) should be created.	The integration account with Partner Center should be assigned an ‘Admin Agent’ role in Partner Center. MFA for this account must be enabled (see below). A Dynamics 365 license for this account is not required. Register the MFA by going to https://aka.ms/mfasetup More information available at: https://help.work365apps.com/documentation/billing/work-365-providers/configuring-microsoft-partnercenter-provider/

Requirement

Comments

For 1-Tier (Direct Bill) partners only:
A separate account in Partner Center ([email protected]) should be created.

The integration account with Partner Center should be assigned an ‘Admin Agent’ role in Partner Center. MFA for this account must be enabled (see below). A Dynamics 365 license for this account is not required. Register the MFA by going to https://aka.ms/mfasetup

More information available at:
https://help.work365apps.com/documentation/billing/work-365-providers/configuring-microsoft-partnercenter-provider/

Enforce MFA for the integration account

MFA must be enabled for the tenant (see below), however the integration account must have MFA enforced. In order to enforce MFA for the integration account...

Login to the Azure Active Directory portal https://aad.portal.azure.com
In the left menu, click on Users → All Users.
Click the Per-user MFA option on top of the user list.
Locate the integration account on the multi-factor authentication screen.
Check the selection checkbox next to the integration account name and click the Enable link. If this option is not visible, then MFA is already enabled - proceed to step 7.
Click the enable multi-factor auth button on the confirmation popup.
Locate the integration account once more and check the selection checkbox. Click the Enforce link.
Click the enforce multi-factor auth button on the confirmation popup.
The MULTI-FACTOR AUTH STATUS column against the integration account should now show as Enforced.

Prepare for MFA enablement of the tenant

If your tenant has Azure AD Premium Plan 1 (or higher) or Enterprise Security + Mobility (EMS) plans, it is highly recommended to assign these licenses to your integration user before proceeding with MFA enablement. The planning and rollout of MFA across your tenant are not in the scope of this article. Work with your IT team to plan and deploy MFA across the organization.

Enable MFA Policies

Work with your IT team to ensure that you are compliant with the Microsoft security requirements coming into effect on August 1, 2019. More information on this can be obtained from https://docs.microsoft.com/en-us/partner-center/partner-security-requirements and https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

The policies may take a few minutes to kick in and hence it is advised to wait for about 5-10 minutes after enabling any policies on the Azure AD tenant and before proceeding with the integration on Partner Center.