MFA enforcement for Partner Center APIs is live
Microsoft has begun enforcing multifactor authentication across all Partner Center app+user API integrations. API calls made without a valid MFA claim are now being blocked with a 401 response and error code 900421.
What changed
On June 8, 2026, Microsoft implemented progressive enforcement of multifactor authentication (MFA) across all Partner Center app+user APIs via incremental traffic exposure. This builds on the MFA requirements already enforced for the Partner Center portal and extends the same level of protection to API-based access.
Any app+user API call made without a valid MFA claim may now be blocked, returning a 401 response with error code 900421. Microsoft had been communicating this change since January 2026, with earlier phases targeting April 1, 2026. The June 8 enforcement represents the production rollout across partner scopes.
The enforcement is executed through incremental traffic exposure, meaning partners who are not yet fully configured may already be seeing blocked requests on specific tenants or API endpoints, with wider coverage rolling out progressively.
Why CSP partners should care
If your business relies on Partner Center API automation for any of the following, this is a top-tier reliability requirement:
- Customer provisioning: creating, modifying, suspending, or cancelling subscriptions via API.
- Billing and reconciliation: downloading invoices, retrieving unbilled usage, or processing reconciliation files programmatically.
- Customer management: creating new customer records, managing GDAP relationships, or handling MCA attestation.
- Pricing and catalog: retrieving price lists, offers, and SKU availability for quoting engines.
- Indirect provider workflows: reseller management, margin configuration, and subscription delegation through app+user tokens.
A 401 error on any of these operations means the call fails silently or explicitly depending on your error handling. Partners using unattended automation, scheduled jobs, or daemon processes with app+user authentication are at the highest risk of disruption.
Operational checklist
Immediate (this week)
- Inventory all app+user API integrations across your tools, partner portals, and internal automations.
- Identify non-MFA users and applications using Microsoft Entra sign-in logs.
- Validate token acquisition flows end-to-end to confirm a valid MFA claim is included.
- Test in sandbox environments before updating production integration points.
Short-term (within 30 days)
- Enable MFA for all user accounts that authenticate against Partner Center APIs.
- Update automation scripts and daemon services to use the secure application model with MFA claims.
- Monitor for 401 and 900421 error patterns in API logs to catch remaining gaps.
- Review the secure application model for Partner Center API integrations.
How Tagydes helps
Tagydes is built on the Partner Center API secure application model and handles MFA claims natively in all authenticated operations. Our platform provisions subscriptions, manages GDAP relationships, processes reconciliation files, and maintains pricing data through fully compliant authentication flows.
For providers running their own automation alongside Tagydes, we recommend auditing those integrations separately. Tagydes itself does not use unauthenticated app+user calls, so your Tagydes-powered operations are unaffected by this enforcement.
If you need help reviewing your broader Partner Center API posture, the Tagydes team can provide guidance on Entra sign-in log analysis, integration inventory, and migration to the secure application model.
Source
This update is based on Microsoft Partner Center announcements for June 2026:
- MFA enforcement for Partner Center APIs (June 8, 2026)
- Mandatory MFA for Partner Center APIs (May 4, 2026 — background)
- Partner Center security requirements — MFA guidance
- Enable the secure application model for Partner Center
Keep your CSP operations running through MFA enforcement
Tagydes handles MFA-compliant Partner Center API authentication natively. Start a free trial to see how we automate subscription lifecycle, reconciliation, pricing, and reseller management on a secure foundation.