Partners are operating in an environment where security, compliance, and operational reliability are core to earning and retaining customer trust. At the same time, many partners are modernizing their systems and integrations to keep pace with a rapidly evolving commerce and services landscape.
To support this shift, Microsoft is delivering a set of security‑first, API‑driven, and commerce‑aligned technical updates across Partner Center and related platforms. These changes are designed to reduce risk, improve resilience, and simplify how partners integrate with Microsoft platforms—all while supporting more consistent, scalable operations across customer lifecycle scenarios.
Some updates are already in effect, with additional changes rolling out over the coming months. This post highlights what’s new, what’s coming, and, most importantly, how these improvements empower partners to strengthen security posture, streamline operations, and avoid disruption as enforcement milestones approach.
Recent enhancements strengthening partner security and reliability
Over the past few months, we’ve made progress on several technical and API enhancements to support consistent workflows and give partners clear, actionable paths to meeting requirements. By understanding what’s changing and why, partners can optimize their systems early, prevent avoidable delays, and create smoother end‑to‑end commerce and operational workflows.
November 15, 2025: Security workspace rollout for CSP indirect resellers
On November 15, 2025, Microsoft launched the Security workspace in Partner Center for Cloud Solution Provider (CSP) indirect resellers. It provides visibility into multifactor authentication (MFA) status, security score, mandatory security requirements, and compliance gaps, along with guidance and AI-powered assistance to support completion of CSP authorization requirements.
Learn more about security score requirements and best practices.
December 1, 2025: Enforcement of Partner of Record assignment for CSP resellers
As of December 1, 2025, Partner Center now enforces Partner of Record (POR) validation for CSP subscriptions. Updates to the Partner Location Account (PLA) API and UI make it easier for distributors to assign active, compliant indirect resellers as POR and ensure reseller eligibility is checked before a transaction proceeds.
Both the API and UI validate reseller compliance for new subscription orders and for changes such as seat adjustments, billing plan or term updates, partner‑to‑partner transfers, and legacy‑to‑new commerce migrations.
A dedicated POR Validation API provides real‑time validation of PLA IDs and confirms POR eligibility before an order or update is submitted.Distributors should enable POR API checks, map error‑handling workflows, and brief your reseller network to ensure they understand the compliance requirements now in force.
Indirect resellers should verify PLA IDs, confirm tenant status and regional alignment, and remediate common compliance gaps to prevent transaction blocks.
January 5, 2026: MFA enforcement in Volume Licensing Central
As of January 5, 2026, Microsoft enforces mandatory MFA for all partners accessing Volume Licensing Central (VLC). Partner tenants that have not enabled MFA for admin users will be blocked from signing in, so it’s important to ensure MFA is enabled at the tenant level for all administrative roles.
- To enforce MFA for your tenant while signing in to VLC, follow the guidance provided here.
- For additional information, check out the related Microsoft Learn article.
January 5, 2026: MCA attestation is now API-only
Microsoft has retired the Microsoft Customer Agreement (MCA) attestation UI and legacy API, making attestation API-only as of January 5, 2026. The bulk attestation tool is read-only, so workflows that relied on the UI or legacy endpoints must be updated to use the enhanced MCA attestation API to avoid breaks in onboarding and customer acceptance flows.
- Learn more about the changes and API integration.
- Use the Microsoft Customer Agreement Bulk Attestation Tool to determine which customers are in scope with the MCA refresh effort and need to confirm the acceptance of the MCA (as of October 7, 2025).
- Partners who attested customers before April 1, 2023, must re‑attest those customers using the enhanced API to avoid blocked transactions and ensure compliance with January 2026 enforcement.
January 5, 2026: Mandatory Marketplace Purchase Intent field for inbound co-sell referrals
Starting January 5, 2026, co-sell referral integrations must include the Marketplace Purchase Intent field, which signals whether the customer intends to transact through Microsoft Marketplace. This enhances lead quality and routing, and it reduces downstream processing delays. Referrals missing from the field may fail validation or delay processing, so update your referral and API integrations now.
To support this change, Microsoft has updated the bulk co‑sell operations guidance to include Marketplace Purchase Intent as a required field and has confirmed enforcement in CSP authorization updates, with all co‑sell API integrations required to include this field.
January 15, 2026: Azure Active Directory Graph retirement and migration to Microsoft Graph
As part of Microsoft’s broader investment in strengthening security across Partner Center, the graph.windows.net audience tokens were retired on January 15, 2026. Any Partner Center services still using the Azure Active Directory Graph API need to migrate to api.partnercenter.microsoft.com.
If your organization uses the generateToken API, stop decoding the returned token, remove dependencies on legacy claims, and begin using the new version of the API that’s available now.
Important Q1 to Q2 changes coming soon
The next set of updates touches billing, authentication, and subscription lifecycle and includes a high-impact update regarding mandatory MFA for Partner Center API access. Partners who adopt these changes early will be better positioned to operate at scale, protect customer environments, and minimize friction across billing, provisioning, and lifecycle management.
March 15, 2026: Billing reconciliation, migrate to Billing Usage API v2
Microsoft is retiring the legacy Billing Usage API v1 starting March 15, 2026, and requiring CSP partners to migrate to the asynchronous Billing Usage API v2, which is designed for enhanced performance, reliability, and scalable request handling. Partners who stay on v1 will begin encountering error states as the service winds down. If billing reconciliation is part of your daily operations, this should be a near-term engineering priority.
Review Microsoft’s API guidance in the billing reconciliation (usage) API documentation and recent enforcement details in CSP authorization updates, which confirm v1 retirement and the required migration timeline.
April 1, 2026: Mandatory MFA for Partner Center API access
Starting April 1, 2026, Microsoft will require mandatory MFA for Partner Center API access, including both user-based and app-only authentication flows. Partners need to update authentication flows to support MFA-compliant token acquisition before enforcement. Once active, API calls that do not meet MFA requirements will fail.
Review the MFA requirement and setup steps in the Partner Center security requirements page.
May 4, 2026 (revised timeline): Extended service terms in CSP
As previously announced, the extended service terms (EST) milestones related to EST production availability were expected to occur on January 19, 2026, but were delayed. The new date for this functionality is February 16, 2026.
Due to this delay, the EST enforcement will now begin on May 4, 2026. On this date, the free grace period for accessing services on non-renewed subscriptions will be discontinued. Customers and partners will have three clear choices after expiration: renew, cancel, or move to a paid EST to maintain service while next steps are decided. Review the EST documentation to learn more.
As a reminder, partners should prioritize renewal discussions with customers in advance of a subscription’s end date and discuss the best option for their business needs before the end of their service to avoid unexpected billing. Please note:
- EST is not a required end-of-term option.
- If auto-renew is set to off and the customer does not wish to move to EST, partners can select ‘cancel’ or ‘renew’ before the subscription’s end date.
- Selecting ‘cancel’ as an end-of-term option means the subscription ends on its expiration date and the customer will lose access to the service. No service will be provided after the end of the term if ‘cancel’ is the selection chosen at subscription end.
Resources and next actions
If you want a simple way to prioritize work, start with security and access continuity, then move to API and lifecycle changes.
- Confirm all mandatory security requirements are complete: Ensure MFA is in place, security contacts are set, and alerts are being addressed.
- Update API integrations (Graph replacement, Marketplace Purchase Intent, billing APIs, MFA claims): Learn about graph migration guidance and co‑sell referral requirements.
- Use the Security workspace: Identify gaps and track progress.
- Plan for EST lifecycle changes: Be aware of revised timelines and review the coming change with customers ahead of renewal dates. Coordinate with your teams to prepare for technical implementation.
We recommend that you route this post to the owners of your security posture, billing integrations, co-sell and referral integrations, and subscription lifecycle experiences. Then map each change to an owner and a target date, especially where enforcement dates are fixed.
Microsoft Learn guidance is available for Microsoft Graph migration, Partner Center security requirements, Volume Licensing Central MFA enablement, MCA attestation API integration, bulk co-sell operations requirements (including Marketplace Purchase Intent), billing reconciliation APIs, and extended service term behavior.
Continue the conversation by following our CSP partners discussion board for both direct bill and indirect resellers to collaborate, troubleshoot, and stay informed on the latest developments in the CSP ecosystem.
These updates are about protecting customers and strengthening the reliability of the systems you depend on every day. Taking action now reduces the risk of disruption later, and it keeps your operations ready for what’s next.