Navigating Microsoft’s New CSP Security Requirements

Hey everyone,

You might have heard some chatter in regards to Microsoft’s new CSP security requirements. Thought we’d share it here as well for those who might’ve missed it!

Enforcement starts on October 1, 2025.

What’s Changing (The Quick Rundown)

Microsoft is serious about security, and these new requirements apply to all direct bill partners, distributors, and indirect resellers. Here are the main points you need to be aware of:

• Mandatory MFA: Multi-factor authentication is a must for all administrative users.
• Designated Security Contact: You’ll need to designate a specific security contact who can respond to alerts.
• 24-Hour Response Time: Direct partners and distributors must respond to security alerts within 24 hours.
• Secure Score of 80+: Direct billers and distributors must maintain a Microsoft Partner Center Security Score of 80 or higher.

Partners who do not comply with these stringent security measures risk losing their CSP credentials or other partner privileges, which could disrupt their ability to transact within the Microsoft ecosystem.

No question is too small. If you’re wondering about something, chances are someone else is, too. We’re happy to answer any questions, concerns, or provide guidance on how Syncro can help with these changes.

thanks for flagging this up. Also, I went down a small rabbit hole of our partner center Security area not being available un My Access which I think makes it a button on the main panel. It said “Access not granted” and to contact a global admin like me

This is where the secure score will be but it is not ready yet apparently and will appear in time. But the points above should be enough to get the score sorted.

Thanks for your reply. I am getting the same Access not granted. Is that what is happening @Jess ?
I also noticed on the bottom of the left menu it Says security center>> MFA, which leads to a retired page.

How can I check my score

I would ignore looking for the score or at least that is what I am doing but have made sure that the security contact was setup and double-checking MFA is in place for all admin accounts. This should get you most if not all the way there.

• 1. Microsoft plans to enable access to the Security Workspace for indirect resellers in the coming weeks. While no specific date has been announced, this update will allow you as a reseller to directly monitor your compliance with security requirements through Partner Center.
  2. As mentioned in our call, here are some relevant articles you can go over on this Security Workspace topic:

     • Partner security requirements - Partner Center | Microsoft Learn

     • https://learn.microsoft.com/en-us/partner-center/security/security-roles

Hi Folks,

@des.quinn has provided some great information! In addition, here’s a handy Microsoft CSP Authorizations one-pager (download)

@candrews According to Microsoft, the Security Workspace in Partner Center is currently only available for direct-bill partners and indirect providers.

You can see a breakdown of responsibilities by Microsoft Partner Type in their May Announcements.

For Indirect Resellers:

• Complete business vetting.
• Have a minimum of 1,000 USD TTM billed revenue at the reseller tenant level.
• Complete the mandatory requirements of the Partner Center security score.
  • Enable multifactor authentication (MFA) for all administrative users in the CSP tenant.
  • Designate a security contact within Partner Center.
• Accept the Indirect Reseller Microsoft Partner Agreement (MPA).

just to add that we had previously completed vetting in the last 12 months but will changing security contact we are now having to do it once more and supply business registration docs again.

Nothing too arduous but the impending deadline adds some stress