Book a Demo
Microsoft News

New Microsoft CSP security requirements: what Partners need to know before October 2025

Kas Nowicka
by Kas Nowicka
3 min read
Jul 11, 2025 3:51:16 PM

Big changes are coming for Microsoft partners

If you are an indirect reseller, the time to act is now.

From 1 October 2025, Microsoft will begin enforcing new security and revenue requirements across the Cloud Solution Provider (CSP) program! 

A critical security deadline is approaching, and these requirements apply to direct bill partners, distributors (formerly indirect providers), and indirect resellers, and are designed to strengthen the security posture of the entire partner ecosystem.  

Enforcement Deadline

1 October 2025

Date when new partner security requirements take effect

MFA Coverage

100% Admins

All partner tenant admin users must use multi-factor authentication

Alert Response Time 

< 24 Hours

Security alerts must be answered within one day (for direct partners/distributors)

[Source: Microsoft]

These updates are part of Microsoft’s broader effort to improve the baseline security posture of its entire partner ecosystem. However, as is often the case, the official guidance can be confusing, especially when trying to translate policy into practical next steps. We are here to deliver you the essential information. 

What is changing? 

Microsoft’s updated FY26 eligibility criteria apply to all CSP partners, including direct billers, distributors, and indirect resellers. For indirect resellers specifically, the key requirements are: 

  • Minimum of $1,000 in trailing twelve months (TTM) revenue
  • Microsoft Partner Center Security Score of 80 or higher  

Failing to meet these criteria could jeopardize your partner authorization status moving forward.  

Secure Score achievement criteria 

At first glance, it seems straightforward. Achieve an 80 percent Secure Score and you are compliant. But once you dive into the Microsoft Learn documentation, it becomes clear that it is not quite that simple. 

The Secure Score requirement is not just about hitting a number. Microsoft provides detailed guidance on specific security actions that partners should take to demonstrate compliance. These actions contribute to achieving and maintaining a high score, but the real focus is on building a secure environment. 

Microsoft’s updated CSP authorization eligibility requirements introduce a set of mandatory security measures that every partner must implement by the enforcement date. In summary, all partners must ensure the following by October 2025 (selected measures): 

  • Enable Multi-Factor Authentication (MFA) for all administrative users in your partner tenant. Every account with admin privileges must be protected with MFA, no exceptions.  
  • Designate a security contact in Partner Center. You need to specify a contact person (with up-to-date email and phone details) to receive security notifications and coordinate on security issues. 
  • Respond to security alerts within 24 hours. Partners are expected to monitor and act on security alerts (for example, notifications of suspicious activity or vulnerabilities) within a day or less. Rapid response is critical to limit damage from incidents. 

All the above must be in place by the time enforcement begins (October 1, 2025). If your CSP program anniversary falls soon after that date, it effectively becomes your personal deadline for compliance, as Microsoft will check your status in that month each year. 

Partners who do not comply risk losing their CSP credentials or other partner privileges, which could disrupt your ability to transact in the Microsoft ecosystem.  

Check more details here: Security requirements dashboard for Partner Center.

How inforcer can help you and your customers? 

Raise the security levels of all customer tenants by defining and deploying a consistent baseline. inforcer is a platform built specifically for MSPs to simplify and automate security configuration across multiple Microsoft 365 tenants.  

inforcer can help you to:  

  • Monitor and improve Secure Scores across all your customer tenants
  • Automate the implementation of policies
  • Provide clear, audit-ready reporting 
  • Stay aligned with Microsoft’s evolving security and compliance expectations

Key takeaways 

The October 2025 deadline for Microsoft’s mandatory partner security requirements is a pivotal moment for CSPs. Compliance is about strengthening your foundations and delivering greater value to customers by showcasing a secure operation. inforcer simplifies this process by automating security configurations across Microsoft 365 tenants, monitoring Secure Scores, and ensuring audit-ready reporting. We help MSPs of all sizes align with Microsoft’s evolving security standards without significant overhead, enabling scalable security best practices for every client. 

By investing in solutions like inforcer, MSPs can differentiate themselves as security-forward partners, earning trust and reducing vulnerabilities to breaches. Meeting the October deadline ensures not only compliance but also positions you as a leader in the Cloud-first era, prepared to guide customers through future challenges.  

Taking proactive steps now will pay dividends far beyond compliance and help foster resilience in an ever-changing cybersecurity landscape.

Contact us to learn more today. 

Kasia Nowicka
Kas Nowicka
Microsoft MVP
Previous story
← Windows Autopatch now supports Microsoft Business Premium
An important security update on Microsoft OneDrive
OneDrive
Microsoft

An important security update on Microsoft OneDrive

May 26, 2025 4:19:07 PM 1 min read
Windows Autopatch now supports Microsoft Business Premium
Autopatch
Microsoft

Windows Autopatch now supports Microsoft Business Premium

Jun 4, 2025 4:06:28 PM 2 min read
Superior Apple Device Management with Microsoft Intune improvements
Intune

Superior Apple Device Management with Microsoft Intune improvements

May 4, 2023 5:20:05 PM 1 min read