How To Enforce MFA for Microsoft 365 Delegated Administrators

It is common with most organisation using Microsoft 365 or Azure services, that somewhere, someone has a level of delegated administrative control over your tenant and it might not yet be known to you yet. That person or organisation with administrative control over your environment likely has just as much control as you. Often it is not just a single user either, whole departments may have delegated control over your environment and often even users that do not need it!

This delegated control is usually provided through the Microsoft Cloud Solution Provider program.

In this post I am going to show you how you can secure your tenant and ensure that 3rd parties with delegate administrative control, adhere to your security policies.

Understanding the delegated administrator problem

When you look to license your Microsoft 365 estate, it can often be most cost effective (and you may receive better support!) using a 3rd party provider! When setting up this relationship, often the 3rd party will request delegated administrative permissions and you give it to them. Because they are giving you a good deal and your trust them, right…?

Now, to go one step further, different CSP’s often provide different services. For example, your standard outsourced IT support firm may have delegated rights over your tenant as they provide your business or enterprise licensing. Then a specialised Teams voice provider may have the same access, as they provide calling plan licenses for your tenant. Then another MS Dynamics specialist firm may again have the same access, as they provide Business Central licensing and support… see what I am getting at?

How do you know if all of these CSP’s adhere to strict security policies for their own tenants? You could ask them so… but it would be negligent to assume what you are being told is accurate.

Solving the delegated administrator problem

Luckily, solving this issue is fairly simple with Conditional Access. With conditional access you can specify who you want a specific policy to apply to. This means if you want certain user to have to adhere to a stricter policy, you can do just that. In any case, I would recommend that external users do adhere to a stricter policy. 

In our case, we can create a conditional access policy that applies to external users. Now, for the case of cloud solution providers (CSP’s), CSP’s with delegated access are marked as ‘Service provider users’ and are also categorised as an external user. This is seen from the Boolean (yes/no) property within the Microsoft Graph, ‘isServiceProvider’.

How to identify which CSP partners have access to your tenant

While some partners may require a level of administrative access to your tenant to perform their contractual duties, some may not. You can check which partners have access to your tenant through both the Microsoft 365 admin center and Azure Active Directory. 

From the Microsoft 365 admin center

Go to Settings > Partner Relationships

View csp relationships from MS365

From Azure Active Directory

Under Manage, select Delegated admin Partners

If you are concerned about the level of access your CSP has you should reach out to them directly to discuss.

Create a conditional access policy for service providers with delegate admin access

1. Start by opening Azure Active Directory and navigating to Conditional Access, Azure Active Directory > Security > Conditional Access

2. Select New Policy

Select New Policy

3. Enter a meaningful name for your policy

4. Under Assignments, click Select users and Groups > Guest or external users, then check the box next to Service provider users

CA for service provider users highlight

5. Under Cloud apps or actions, select All cloud apps

CA for service provider user all cloud apps

6. Under Access controls, select Grant, then select Require authentication strength and choose your custom authentication requirement.

If you are unsure on how to create a custom authentication strength setting, check out my tutorial; How to setup Require Authentication Strength in Conditional Access.

CA for service provider user auth strength

Alternatively you can just select ‘Require multifactor authentication’ but this is arguable less secure.

7. Now we are going to enable session controls to ensure that when the users browser is closed, the session is closed and also to ensure after 1 hour the session requires re-authentication. 

Select Session then check the box next to Sign-in frequency and set to 1 hour. Then check the box next to Persistent browser session and select Never persistent.

CA for service provider user session controls

8. Lastly you can set the policy to On and click Create.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply