If you’re a Microsoft Cloud Solution Provider (CSP) and haven’t heard about the new Partner Center Secure Score requirements, it’s time to pay attention. Starting October 1, 2025, Microsoft will begin evaluating CSP partners—direct, indirect, and distributors—based on a defined security baseline. Fail to meet it, and you could lose your CSP authorization. This is devastating for any MSP.
Let’s break down what’s changing, why it matters for MSPs, and how you can get ahead of the curve.
Not all Secure Scores are the same
First off, it’s important to understand which Secure Score we’re talking about. Microsoft has several:
- Microsoft Secure Score (for Microsoft 365 environments)
- Azure Secure Score (for Azure resources)
- Partner Center Secure Score (specific to Microsoft CSPs)
The last one is the focus of these new requirements (for now…). It’s a set of best practices Microsoft now expects all CSPs to follow to maintain secure environments. These are now requirements, not just recommendations.
Why Microsoft is doing this
From my perspective, this shift is long overdue. We’ve seen too many security breaches through Microsoft services tied to weak or missing protections—accounts with no MFA, misconfigured roles, outdated policies, you name it. On top of that, MSPs continue to be prime targets for attackers.
The raw truth is that the MSP space, especially in the U.S., has been largely unregulated. Anyone with a bit of IT knowledge can call themself a service provider and spin up a CSP relationship. Microsoft knows that, and they’re stepping in with guardrails to prevent those bad habits from becoming real threats to the broader Microsoft ecosystem.
It’s a necessary move. Delegated access permissions (DAP), and, more recently, granular delegated admin privileges (GDAP) give CSPs deep access into customer environments. If your house isn’t in order, your customers are exposed. Microsoft’s new requirements are about making sure CSPs take that responsibility seriously.
What the new Secure Score requirements look like
The maximum Partner Center Secure Score is 80 points, but only 50 points are required by October 1. There are five focus areas (three mandatory, two recommended):
Mandatory (must-have):
- MFA for admin roles in the partner tenant: 20 points
- Security contact info added to Partner Center: 20 points
- Respond to security alerts within an average of 24 hours: 10 points
Recommended (not required yet, but you should still do them):
- MFA for admins in customer tenants: 20 points
- Budgets set for all Azure subscriptions: 10 points
To view your current Secure Score, log in to Microsoft Partner Center and navigate to Security > Security requirements dashboard.
What happens if you don’t comply?
Microsoft hasn’t outlined every consequence in detail, but the implications are serious. If you’re a Direct CSP and fail to meet the requirements, you may be pushed into the indirect reseller track or lose CSP eligibility altogether at your next anniversary date. Indirect CSPs who don’t meet the requirements will be deauthorized and offboarded from the program. You’d then have to wait 12 months to reapply, resulting in lost revenue (and lost sleep!).
On top of that, incentives and other partner benefits could be at risk. It’s best to play it safe and get your Secure Score in order as soon as possible.
Many MSPs still don’t know this is coming
Larger MSPs are likely already in the loop. They typically have a Partner Development Manager (PDM) at Microsoft and a team that tracks program changes. But for smaller shops (and let’s be honest, that’s most of the channel), this is still flying under the radar.
I’ve seen partners missing out on CSP incentives they already earned simply because they didn’t know to claim them. If you’re not proactively following Microsoft updates or plugged into forums like MSP subreddits or the Nerdio Community, this change could catch you flat-footed.
And let me be crystal clear: The Partner Center Secure Score is separate from the Microsoft Secure Score in your tenant. If you’re only looking at the latter and think you’re in the clear, you might be in for a rude awakening. I believe this is also a first step in Microsoft requiring security standards, and other Secure Scores will likely have similar requirements in the future.
Nerdio can help with the parts that matter most
While Nerdio Manager doesn’t manage every piece of the Partner Center Secure Score (like setting your security contact), it can help in key areas:
1. Enforcing MFA with Conditional Access
Nerdio helps you configure and enforce Conditional Access policies that restrict access to the Partner Center unless certain conditions are met. Want to require MFA? Access only from managed devices or corporate locations? Nerdio can apply those rules and track when someone changes them.
2. Monitoring and remediating policy drift
Say someone in your team alters a Conditional Access policy to make their life easier. Nerdio can detect that drift and revert the policy to your baseline automatically. That way, you maintain a consistent security posture without relying on manual oversight.
3. Tracking Secure Score trends
When MSPs add themselves as a customer account in Nerdio Manager, they get insight into Microsoft Secure Score recommendations. While that’s not exactly the same as the Partner Center Secure Score, there’s significant overlap. Nerdio highlights where you’ve gained or lost points, tracks risk trends, and makes it easier to see what’s changed and why.
4. Identifying risky users and devices
Through integrations with Defender for Endpoint and other tools, Nerdio can surface information about stale or risky users, device vulnerabilities, and more. All of that feeds into a broader picture of your security posture and can indirectly help your Secure Score, too.
What should you do now?
If you’re not sure where you stand, log into the Partner Center today and check your Secure Score. Again, don’t assume your Microsoft 365 tenant score is the same thing—it’s not!
If there’s a big gap between where you are and where you need to be, start by identifying the opportunities with the most points on the line. Enabling MFA for all admins is one of the easiest and most impactful things you can do.
And if you’re overwhelmed, Nerdio’s here to help. We’ll walk you through where to focus and how to get there without scrambling in the coming months.
Don’t wait to improve your Secure Score!
Could most MSPs reach the minimum score in 30 days? Sure. But you’re playing with fire. The closer you cut it to October 1, the more likely you are to introduce errors, create downtime, or miss something.
My advice? Treat this like any other client project. Give yourself at least a quarter. Phase it in, test it, and make sure nothing breaks along the way.
Microsoft isn’t being passive anymore. If you want to stay in the CSP program, meet the requirements, or risk losing the privileges that come with it.
Need help closing your Secure Score gaps? Whether you’re unsure where you stand or know you’ve got work to do, Nerdio can help you focus on the highest-impact areas and get compliant before the deadline. Contact us to start the conversation.
