If you are an indirect reseller, the time to act is now.
From 1 October 2025, Microsoft will begin enforcing new security and revenue requirements across the Cloud Solution Provider (CSP) program!
A critical security deadline is approaching, and these requirements apply to direct bill partners, distributors (formerly indirect providers), and indirect resellers, and are designed to strengthen the security posture of the entire partner ecosystem.
|
Enforcement Deadline 1 October 2025 Date when new partner security requirements take effect |
MFA Coverage 100% Admins All partner tenant admin users must use multi-factor authentication |
|
Alert Response Time < 24 Hours Security alerts must be answered within one day (for direct partners/distributors) |
|
[Source: Microsoft]
These updates are part of Microsoft’s broader effort to improve the baseline security posture of its entire partner ecosystem. However, as is often the case, the official guidance can be confusing, especially when trying to translate policy into practical next steps. We are here to deliver you the essential information.
Microsoft’s updated FY26 eligibility criteria apply to all CSP partners, including direct billers, distributors, and indirect resellers. For indirect resellers specifically, the key requirements are:
Failing to meet these criteria could jeopardize your partner authorization status moving forward.
At first glance, it seems straightforward. Achieve an 80 percent Secure Score and you are compliant. But once you dive into the Microsoft Learn documentation, it becomes clear that it is not quite that simple.
The Secure Score requirement is not just about hitting a number. Microsoft provides detailed guidance on specific security actions that partners should take to demonstrate compliance. These actions contribute to achieving and maintaining a high score, but the real focus is on building a secure environment.
Microsoft’s updated CSP authorization eligibility requirements introduce a set of mandatory security measures that every partner must implement by the enforcement date. In summary, all partners must ensure the following by October 2025 (selected measures):
All the above must be in place by the time enforcement begins (October 1, 2025). If your CSP program anniversary falls soon after that date, it effectively becomes your personal deadline for compliance, as Microsoft will check your status in that month each year.
Partners who do not comply risk losing their CSP credentials or other partner privileges, which could disrupt your ability to transact in the Microsoft ecosystem.
Check more details here: Security requirements dashboard for Partner Center.
Raise the security levels of all customer tenants by defining and deploying a consistent baseline. inforcer is a platform built specifically for MSPs to simplify and automate security configuration across multiple Microsoft 365 tenants.
inforcer can help you to:
The October 2025 deadline for Microsoft’s mandatory partner security requirements is a pivotal moment for CSPs. Compliance is about strengthening your foundations and delivering greater value to customers by showcasing a secure operation. inforcer simplifies this process by automating security configurations across Microsoft 365 tenants, monitoring Secure Scores, and ensuring audit-ready reporting. We help MSPs of all sizes align with Microsoft’s evolving security standards without significant overhead, enabling scalable security best practices for every client.
By investing in solutions like inforcer, MSPs can differentiate themselves as security-forward partners, earning trust and reducing vulnerabilities to breaches. Meeting the October deadline ensures not only compliance but also positions you as a leader in the Cloud-first era, prepared to guide customers through future challenges.
Taking proactive steps now will pay dividends far beyond compliance and help foster resilience in an ever-changing cybersecurity landscape.
Contact us to learn more today.