In the last few months, Microsoft® has been ruffling their Partners’ feathers by proposing a series of startling changes to their Partner Network. Following a failed attempt to cut internal use rights (IUR) support for smaller MSPs, Microsoft has recently tightened restrictions on their Partner Network with an increased level of network security required:
- “Starting August 1, 2019 all partners are required to enforce multi-factor authentication for all users, including service accounts, in their partner tenant.”
At JumpCloud®, some of our Partners are also Microsoft Partners, and we’ve fielded questions concerning how the increased MFA requirements could influence JumpCloud’s Azure Active Directory / Office 365™ authentication flow. Let’s look to understand the details of this MFA requirement, why Microsoft is doing it, and further explain the Office 365 authentication flow for Microsoft Partners who also use JumpCloud.
New Microsoft Partner Security Requirements
First of all, what was Microsoft’s reason for enforcing each user to have MFA for every single authentication? “The highly privileged nature of being partner.” Actions required for Partners to enforce MFA include one of the following paths:
- Implement Azure AD® Premium and ensure that MFA is enforced for each user
- Implement the baseline protection policies
- Implement a 3rd-party solution and ensure MFA is enforced for each user
Now, maybe you’re thinking through your product stack and client environments, and asking yourself, “what are the real implications here?” In their partner tenant, Microsoft Partners need to identify their clients’ users, applications, and devices that do not support modern authentication. Any legacy protocols, such as IMAP, POP3, SMTP, etc., will be blocked in the partner tenant because these protocols cannot support MFA. This will require some extra work on the Partners end, but ultimately, it’s a more secure process.
Office 365 Directory Sync Authentication Flow
For those Microsoft Partners who are also JumpCloud Partners and may be concerned with how this will interfere managing Office 365, there’s really no cause for alarm here. The authentication flow for the Office 365 directory sync remains unobstructed, regardless of Microsoft’s MFA requirements, and the transfer of credentials between JumpCloud and Office 365 still functions as normal.
All tests have been successful for integrating and syncing a JumpCloud instance with Office 365 / Azure AD from an admin account. When logging in and syncing, an authorization token is created that is used to keep the link established. Then, the admin’s login is not needed again for 90 days until a re-sync needs to occur.
For those who haven’t used JumpCloud before, once the user identities are imported into JumpCloud via the directory sync (shown above), managed service providers (MSPs) can continue to centrally provision, deprovision, and manage their clients’ Office 365 user accounts (shown below). As stated in the Knowledge Base articles regarding the Office 365 Integration,
“JumpCloud utilizes an OAuth2 token for authorization, and TLS to secure and persist its connection with Office 365 to perform our integration tasks. JumpCloud essentially takes those Azure AD / Office 365 credentials and extends them across systems, apps, files, and networks so that end users can actually Make Work Happen™.
Learn More About Integrating JumpCloud with Office 365
Want to speak with a Partner Support specialist at JumpCloud? Maybe you’d rather make a Free Account to test the product for yourself? Go ahead and dive in. For JumpCloud Partners, your first 10 users in each one of your client organizations is completely free, forever. This way, you can get a feel for how each client environment will operate alongside your management process. Furthermore, instead of having to pay a $15k annual fee, our standard support is included free to Partners with customers, along with co-marketing campaigns, resources, and joint webinars.
About JumpCloud’s Partner Program
JumpCloud’s Partner Program empowers IT Service Providers with central identity management from the cloud. Fine-tuned for MSPs with cloud security offerings or clients transitioning to the cloud, Directory-as-a-Service can be easily bundled at the center of any product stack to make your business, and your clients’ businesses, as efficient and scalable as possible. Make Work Happen™ for your clients while improving the bottom line for your business.