Critical Security Update: MFA Enforcement for Partner Center APIs Begins April 1, 2026

Strengthen Your Security Posture

Microsoft is implementing mandatory multifactor authentication (MFA) enforcement across all Partner Center APIs, with full enforcement beginning April 1, 2026. After this date, API calls made without MFA will be blocked.

What This Means

- All APIs are MFA-enabled and ready for testing
- Partners have until April 1, 2026 to update systems
- API calls without valid MFA tokens will be rejected
- Migrate before April 1 to avoid service disruptions

Why MFA Matters

Microsoft research shows MFA prevents 99% of identity-based attacks.

Action Items

1. Audit integrations using Partner Center APIs
2. Enable MFA for all API access
3. Update applications to send valid MFA tokens
4. Test changes in sandbox environment
5. Complete migration before April 1

Supported MFA Options

- Conditional access policies in Azure AD
- Hardware security keys
- Authenticator apps
- SMS or voice verification

Resources

Review MFA Requirements documentation for guidance.

TL;DR

- MFA enforcement for Partner Center APIs begins April 1, 2026
- All APIs are MFA-ready; you have 8 weeks to migrate
- MFA prevents 99% of identity-based attacks
- Complete migration by March 31, 2026

Source: Microsoft Partner Center - January 2026