FY26 is bringing two major updates for CSP partners: changes to program eligibility and new security policy requirements. Understanding the FY26 CSP requirements now is critical to keeping your CSP status and protecting your business. 

Part 1: FY26 CSP Requirements: Program Eligibility Changes

As Microsoft continues to raise the bar for partner performance and security, FY26 introduces stricter eligibility criteria across all types of CSP partners. Here’s how the new requirements compare to FY25, broken down by partner type:

1. Direct Bill Partner

Direct Bill Partners will see the most significant changes, including a higher revenue threshold, mandatory annual assessments, and the introduction of the Solutions Partner designation requirement. 

2. Indirect Reseller

While Indirect Resellers keep the same revenue threshold, FY26 introduces mandatory security compliance. 

These changes prioritize partners who are invested in long-term capability-building—not just transactional reselling. 

Why FY26 CSP Requirements Matter: Failing to meet the updated eligibility requirements could result in loss of access to incentives and even deauthorization from the CSP program over time.

Part 2: Mandatory Security Standards Under FY26 CSP Requirements

Starting October 1, 2025, Microsoft is enforcing updated Cloud Solution Provider (CSP) authorization eligibility requirements that include mandatory security standards for all partner types. These requirements are designed to strengthen the security posture and operational readiness of partners across the ecosystem. 

Overview of FY26 CSP Security Requirements

Microsoft has implemented a tiered approach to CSP security requirements, distinguishing between mandatory requirements that are essential for CSP authorization and additional requirements that contribute to your overall security posture. 

Mandatory FY26 CSP Requirements for Security

These three requirements are non-negotiable and must be completed to maintain CSP status:

1. Multi-Factor Authentication (MFA) – 20 Security Score Points ⚠️ MANDATORY

Requirement: Enable MFA for all administrative users in the CSP tenant. 

Critical Administrative Roles That Must Have MFA: 

• Global administrator 

• Authentication administrator 

• Billing administrator 

• Conditional Access administrator 

• Exchange administrator 

• Helpdesk administrator 

• Security administrator 

• SharePoint administrator 

• User administrator 

Implementation Options: 

• Security Defaults (for Microsoft Entra ID Free users) 

• Conditional Access Policies (for Microsoft Entra ID P1/P2 licenses) 

• Per-user MFA configuration 

⚠️ Important: Non-Microsoft MFA solutions (Okta, Ping, Duo) are not supported and won’t count toward your security score. 

2. Designate a Security Contact – 20 Security Score Points ⚠️ MANDATORY

Requirement: Provide a designated security contact within Partner Center. 

The security contact must include: 

• Email address (can be a shared mailbox or ticketing system) 

• Phone number 

• Name of individual or group responsible for security incidents 

This contact will receive notifications about security-related issues and must be able to act on security incidents promptly.

3. Respond to Security Alerts Within 24 Hours – 10 Security Score Points ⚠️ MANDATORY

Requirement: Maintain an average response time of 24 hours or less to security alerts. (Note: This requirement does not apply to indirect reseller partners) 

Response Requirements: 

• Triage and respond to alerts within 24 hours (goal: within 1 hour) 

• Update alert status or provide reason codes 

• Response time measured from alert appearance to partner action 

• Average calculated based on last 30 days of activity 

Recommended Additions to FY26 CSP Requirements

These requirements contribute to your security score and overall security posture but are not mandatory for CSP authorization:

4. Customer MFA Management – 20 Security Score Points 📋 RECOMMENDED

Requirement: Ensure users with administrative roles in customer tenants use MFA. 

Partners should monitor and help customers implement MFA for the same administrative roles listed above in their customer tenants. This demonstrates your commitment to ecosystem-wide security.

5. Azure Spending Budget Management – 10 Security Score Points 📋 RECOMMENDED

Requirement: All Azure subscriptions should have a spending budget configured. 

Implementation: 

• Set spending budgets based on customer expectations 

• Configure notifications at 80% usage threshold 

• Available only for partners on the new commerce experience 

Security Score Calculation and Thresholds 

The Partner Center security score ranges from 0 to 100 and reflects your tenant’s overall security posture: 

• Each requirement contributes 0-20 points based on relative importance 

• Formula: (Sum of completed requirement scores) ÷ (Sum of maximum possible scores) × 100 

• Requirements are either fully compliant (full points) or non-compliant (0 points) 

Critical Threshold Information: 

• Mandatory Requirements: Must complete all 3 mandatory requirements (50 points total) to maintain CSP authorization 

• Maximum Available Points: 80 points total (50 mandatory + 30 recommended) 

• CSP Authorization: Based on completing mandatory requirements, not achieving a specific score threshold 

• Best Practice: Aim to complete all requirements (80 points) for optimal security posture 

What Your Score Means: 

• 0-49 points: Non-compliant – Risk of CSP authorization loss 

• 50-69 points: Meets minimum requirements but missing recommended practices 
• 70-80 points: Strong security posture with comprehensive protection 

Enforcement and Timeline

Effective Date: October 1, 2025 

Validation Process: 

• Requirements are validated annually during the anniversary month of your original CSP onboarding 

• Continuous monitoring through Partner Center Security Requirements Dashboard 

Consequences of Non-Compliance: 

• Failing mandatory requirements: Ineligibility for CSP authorization and potential deauthorization 

• Missing recommended requirements: Lower security score but maintained CSP status 

• Complete non-compliance: Partner Center access restrictions and loss of CSP program benefits 

• Ongoing violations: Points deducted from overall security score with escalating consequences 

Action Steps for Partners to Meet FY26 CSP Requirements

Immediate Actions Required: 

1. Priority 1 – Complete Mandatory Requirements:  

• Enable MFA for all administrative users (20 points) 
• Designate and configure security contact (20 points) 
• Establish 24-hour alert response procedures (10 points) 

2. Access the Security Requirements Dashboard in Partner Center to monitor compliance 

3. Verify compliance before October 1, 2025 deadline 

Key Differences from Previous Requirements 

Unlike previous voluntary security recommendations, these FY26 requirements are: 

• Mandatory for CSP authorization (not optional) 

• Actively monitored and scored by Microsoft 

• Enforced with real consequences for non-compliance 

• Validated annually during your CSP anniversary month 

The shift from voluntary best practices to mandatory requirements reflects Microsoft’s commitment to Zero Trust security principles and protecting the entire partner ecosystem from evolving cyber threats. 

Conclusion 

Meeting the FY26 CSP requirements positions you as a trusted Microsoft partner. FY26 isn’t just about new benefits – it’s about raising the bar. Partners who prepare now will be in a prime position to grow, earn, and lead in Microsoft’s evolving ecosystem. The combination of higher eligibility standards and mandatory security requirements represents Microsoft’s commitment to building a more capable, secure, and trustworthy partner ecosystem. 

Bottom Line: These aren’t just recommendations anymore – they’re requirements for maintaining your CSP authorization. Partners who proactively implement these changes will not only maintain compliance but also strengthen their competitive position in Microsoft’s evolving ecosystem. 

Additional Resources: 

• Microsoft CSP Security Requirements
• Microsoft CSP Eligibility Threshold
• FY26 CSP Authorization One-Pager