When does MFA become mandatory for Partner Center APIs?

Full enforcement begins April 1, 2026. After that date, any App+User API calls made without a valid MFA token will be blocked with a 401 response code and 900421 error code. Sandbox tenant enforcement is already active as of March 2026.

Does MFA enforcement affect App-only authentication?

No. App-only authentication is not affected. MFA enforcement applies specifically to App+User authentication flows. Partners using App-only tokens for automated processes without user context will continue to operate normally.

Which CSP partner types are affected by Partner Center MFA enforcement?

All Cloud Solution Provider (CSP) direct bill partners, indirect providers (distributors), indirect resellers, and Control Panel Vendors (CPVs) that use App+User authentication to call Partner Center APIs are affected.

How can I test if my API calls are MFA-compliant before April 1?

All Partner Center APIs have been MFA-enabled and ready for testing since September 30, 2025. You can add a ValidateMfa: true header to your API requests and check for the isMfaCompliant field in the response to confirm your calls include a valid MFA token.

What authentication framework should CSP partners use for MFA-compliant API calls?

Microsoft requires partners to implement the Secure Application Model framework for all App+User authentication. Partners must use an authentication provider compatible with Microsoft Entra ID that supports the AMR (Authentication Method Reference) claim, reflecting the actual credential type provided during authentication.

MFA Enforcement for Partner Center APIs

What CSP Partners Must Do Before April 1, 2026

Published: March 24, 2026

Eight days. That's how long Cloud Solution Provider (CSP) partners have before Microsoft blocks every Partner Center API call that doesn't carry a valid Multifactor Authentication (MFA) token. Sandbox enforcement is already live. If your integrations aren't updated, this is the post to read.

The Announcement

What's happening: Starting April 1, 2026, Microsoft will enforce MFA on all App+User authentication calls to Partner Center APIs. Requests without a valid MFA claim will receive a 401 response code and 900421 error code. App-only authentication is not affected.

Date of announcement: First announced June 2025. Reiterated in every monthly Partner Center announcement through March 2026 with increasing urgency.

Effective date: April 1, 2026 - full enforcement. Sandbox tenant enforcement is already active as of March 2026. APIs have been MFA-enabled and available for testing since September 30, 2025.

Who is affected: Direct bill partners, indirect providers (distributors), and indirect resellers transacting through the CSP program. Control Panel Vendors (CPVs) using App+User authentication are also affected.

Action required:

Verify your authentication flow. Confirm all App+User API calls use the Secure Application Model framework and include a valid MFA token in the access token.
Test now. Add the ValidateMfa: true header to your API requests and check the isMfaCompliant field in the response. All APIs have supported this since September 30, 2025.
Check your identity provider. Your authentication provider must be compatible with Microsoft Entra ID and support the AMR (Authentication Method Reference) claim. Federated identity providers need to be configured to pass MFA claims correctly.
Update your systems before April 1. There is no grace period. After enforcement, non-compliant calls are blocked immediately.

Quick note:

This has been the longest-telegraphed enforcement in recent Partner Center history — Microsoft has repeated it monthly since June 2025. But the gap between "aware" and "done" is real. If your platform automates provisioning, billing, or subscription management through Partner Center APIs, your technical team needs to validate MFA token presence in every App+User flow this week, not next month.

Partners using App-only authentication for background processes are not affected, but any flow involving user context is in scope. For the full technical requirements, see Microsoft's MFA mandate documentation.

The Bottom Line

April 1, 2026, is not a soft deadline. Microsoft is already blocking non-compliant calls in sandbox environments, and production enforcement follows immediately. The technical lift for most partners isn't enormous — it's a matter of confirming your token flow includes MFA claims.

The operational impact of getting it wrong is total: blocked API calls mean blocked provisioning, blocked billing, and blocked subscription management. Test today. Ship before Friday.

Source:

Microsoft blocks all API calls without MFA

What CSP Partners Must Do Before April 1, 2026

The Announcement

Action required:

Quick note:

The Bottom Line