Microsoft is forcing Cloud Solution Provider partners to undergo rigorous vetting and is granting customers the ability to instantly revoke delegated access as part of a sweeping security overhaul unveiled on July 2, 2026. Deputy CISO Raji Dani announced the changes during a virtual security summit, emphasizing that the days of implicit trust in partner relationships are over. The new mandate, which takes effect immediately for all new partners and will be enforced for existing ones by October 2026, represents the most significant tightening of the CSP program’s security model since its inception.

For years, the CSP program allowed partners to manage customer tenants through delegated administration privileges, a feature that proved to be a double-edged sword. While it streamlined service delivery, it also created a vast attack surface. The 2024 Midnight Blizzard incident, where a compromised partner account led to lateral movement across multiple customer tenants, highlighted the risks. Dani acknowledged that the legacy model was “built on a foundation of trust that adversaries have learned to exploit.”

The End of Standing Privileges

At the heart of the overhaul is the mandatory transition from Delegated Admin Privileges (DAP) to Granular Delegated Admin Privileges (GDAP). DAP granted partners broad, persistent admin-level access to customer tenants, often without time limits. GDAP, first introduced in 2022, replaces this with just-in-time, role-based access that customers control. Under the new policy, DAP will be disabled for all partners by January 2027, and any partner still relying on it will lose access to customer tenants.

“GDAP is not a suggestion; it’s the baseline,” Dani stated. “We are removing the option to use DAP because standing access is standing risk.” The enforcement mechanism is technical: Microsoft will reject DAP-based authentication requests after the deadline, effectively breaking integrations that haven’t migrated. Partner Center will also start showing compliance scores, and partners with scores below 80% will be flagged to customers.

Partner vetting is no longer a one-time checkbox. Microsoft is introducing a continuous validation process that includes:
- Enhanced identity verification: All partner administrators must use phishing-resistant multifactor authentication (MFA) such as FIDO2 security keys or Windows Hello for Business. SMS and voice-based MFA are banned.
- Mandatory background checks: Technical staff with administrative access must undergo criminal and credit background checks annually, paid for by the partner. Results are reported to Microsoft’s Partner Security Assurance team.
- Real-time risk assessment: Microsoft’s machine learning models will analyze partner behavior patterns—login locations, typical working hours, resource access anomalies—and automatically trigger step-up authentication or temporary access suspension.

A new Partner Security Scorecard, visible to customers, will aggregate vetting status, GDAP adoption, MFA compliance, and tenant security posture. Customers can set policies to automatically block partners that fall below a score threshold, shifting the onus onto partners to maintain rigorous security hygiene.

“We’re giving customers the tools to be the final arbiters of trust,” Dani explained. “If a partner can’t prove they’re secure, the customer can and should walk away.”

Rapid Access Revocation: A Kill Switch for Compromised Partners

Perhaps the most impactful change is the introduction of a “break-glass” access revocation capability. Previously, removing a compromised partner required navigating multiple admin consoles and could take hours or days. The new feature, integrated into Azure Active Directory and the Microsoft 365 admin center, allows customers to revoke all delegated access for a partner with a single click, effective within 60 seconds.

This revocation severs all existing GDAP relationships, invalidates tokens, and blocks any new access requests from that partner until the customer explicitly re-approves. Dani noted that during the Midnight Blizzard event, “The time between detection and containment was too long. Now it’s nearly instantaneous.”

Partners will also receive immediate notifications when access is revoked, and they can view a revocation history in Partner Center. To prevent malicious revocations, the action is protected by Azure AD Privileged Identity Management and requires justification and approval from a separate customer admin.

Mandatory Tenant Posture for CSPs

In addition to vetting their personnel, Microsoft is requiring CSP partners to meet minimum security standards for their own tenants. The “CSP Tenant Security Baseline” includes:
- Enable Security Defaults or Conditional Access policies equivalent to Microsoft’s recommended MFA and risk-based access controls.
- Disable legacy authentication protocols across all services.
- Enable unified audit logs and forward them to a SIEM system.
- Apply the principle of least privilege to all administrative roles, with quarterly access reviews.
- Remove any dormant or unused guest accounts monthly.

Microsoft will scan partner tenants weekly and report non-compliance. Repeated failures can result in suspension from the CSP program. Dani acknowledged that this might be burdensome for smaller partners but argued that “security is not optional—it’s the cost of doing business in a connected ecosystem.”

Industry Reactions and Implications

The announcement drew immediate praise from security professionals and corporate customers. Laura Chen, CISO at a Fortune 500 manufacturing company, said, “We’ve been asking for this for years. Our partners are an extension of our attack surface, and we finally have the controls to manage that risk.”

Partners, however, expressed mixed feelings. The MSP Alliance raised concerns about the financial impact on small providers, particularly the requirement for annual background checks and the potential loss of business if customers block them over scorecard metrics. “A single missed MFA enforcement could cause a cascade of customer churn,” said Alliance director Mark Reynolds. Dani responded that Microsoft will offer a three-month grace period for compliance and is working on financial assistance for partners with fewer than 50 employees.

Analysts see the move as part of a broader industry shift toward zero-trust supply chain security. “We’re moving from trust-by-certification to trust-by-continuous-verification,” said Forrester analyst David Holmes. “Microsoft is effectively pushing the cost and effort of security down to the partner level, which is where the risk really sits.”

The Technical Underpinnings: How GDAP and Zero Trust Converge

Under the hood, the new architecture leans heavily on Azure AD’s Entra ID governance features. GDAP uses Azure AD Privileged Identity Management (PIM) and access packages to enforce time-bound, approval-gated roles. When a partner technician needs to access a customer tenant, they request activation of a specific role for a limited duration—say, Exchange Administrator for two hours. The request can require approval from the customer admin, and all activity is logged.

Rapid access revocation leverages real-time revocation events pushed to Azure AD’s token issuance service. Microsoft has introduced a new revocation signal API that invalidates refresh and access tokens within the globally distributed authentication fabric. This means even if a partner has an active session, it will be terminated at the next resource request.

The combination of GDAP, continuous partner vetting, and instant revocation creates a defense-in-depth model that aligns with the zero-trust principle of “assume breach.” As Dani put it, “We must design for the moment when, not if, a partner is compromised.”

Roadmap and What’s Next

Microsoft outlined a phased rollout. Starting August 2026, all new CSP partner applications must pass the enhanced vetting. By October 2026, existing partners must have migrated to GDAP and completed initial background checks. The DAP shutdown will follow in January 2027. Rapid access revocation is available now for all customers via an API and a new section in the Microsoft 365 admin center.

Future additions include integration with Microsoft Sentinel for automated partner risk investigation and playbooks that can trigger revocation based on anomalous partner activity. Microsoft is also working with industry bodies to standardize partner vetting practices across cloud providers, aiming for a cross-provider trust framework.

Practical Takeaways for Partners and Customers

Partners should immediately:
- Audit all existing DAP relationships and plan migration to GDAP.
- Implement phishing-resistant MFA for all admin accounts.
- Begin the background check process for technical staff.
- Harden their own tenant against the CSP baseline.

Customers should:
- Review current partner access and enforce GDAP-only connections.
- Familiarize themselves with the new revocation tools and test them.
- Configure partner scorecard thresholds and automated blocking rules.
- Ensure their own tenant meets recommended security baselines to avoid becoming the weak link.

Dani closed the summit with a stark warning: “The trust we placed in partners was a product of a different time. Today, that trust must be earned every day, with every access request, and proven with hard data. The alternative is unthinkable.”

The security community will be watching closely to see if Microsoft’s aggressive timeline can be met without major disruption, but one thing is clear: the CSP program will never be the same.