• Dana Epp

Microsoft says that Cloud Service Providers (CSP) need to use MFA, and I agree

Updated: Jul 27, 2019

Last month I read an interesting article from Krebs on Security about the fact that Microsoft will be forcing Cloud Service Providers (CSPs) to use multifactor authentication (MFA) if they are managing customer Office 365 accounts. Some partners are up in arms... but I say its about time.

When a company buys Office365 licenses from a CSP, the partner is granted admin access in order to help the company set up the tenant and establish the initial administrator account. While its possible for the company to remove this admin access after the fact, many don’t, or even know they SHOULD do that.

This leaves CSPs with full admin rights far after the initial onboarding to the Microsoft Cloud. That’s full admin access to the customers Office 365 and Azure tenant, which means the CSP has access to the company’s email and files stored in the cloud. Which could hurt the company later if that isn’t intended. You know, like the breach to PCM, the sixth largest CSP that allowed hackers to access email and file sharing systems for some of the company’s clients.

Morale of the story? Check who has global admin rights to your Microsoft Cloud environment. If you have MSPs or CSPs with access that they shouldn’t, remove it. And force ALL your global admins to use MFA, except for that one emergency account that should never be logged into unless of critical failure (and who you monitor all access from).