Microsoft CSP Program changes

September 16th, 2025
Kaseya
Announcements / News, Cybersecurity, Managed Service Provider (MSP)

October 1, 2025, is right around the corner, and with it comes one of the most significant updates Microsoft has made to its Cloud Solution Provider (CSP) program in recent years. To be eligible for the new Microsoft CSP Program, MSPs must meet the requirements set by the firm, including new revenue thresholds, tougher operational requirements and higher security standards.

For many MSPs, these updates will require a serious reevaluation of Microsoft 365 offerings, compliance readiness and long-term service strategies. The new security requirements raise the bar for how MSPs protect their clients’ environments, which means they’ll need to strengthen their Microsoft 365 security posture — and do it before the deadline.

Read on to learn how SaaS Alerts can help MSPs like you bolster client security posture and stay compliant while turning these regulatory shifts into a competitive advantage.

What’s changing in the Microsoft CSP Program

The upcoming CSP program changes will impact all partners in the CSP ecosystem, from direct bill partners to distributors and indirect resellers. These updates introduce higher revenue thresholds, enhanced operational requirements and stricter security standards to ensure partner readiness and customer protection.

How it impacts indirect resellers

While some of the changes don’t apply to indirect resellers as much as they do to direct bill partners or distributors, they must meet a minimum revenue threshold of at least $1,000 trailing 12-month billed revenue (TTM). Small or inactive resellers that don’t meet this baseline risk losing their CSP status. Indirect resellers are also required to meet Partner Center secure score benchmarks.

CSP partners must also invest in improving their internal and customer-facing cybersecurity practices, such as making MFA mandatory for Partner Center UI. Failure to comply with these requirements could result in losing eligibility to transact.

How it impacts direct bill partners

Once these updates take effect, direct bill partners must meet at least $1 million in CSP revenue over the past 12 months, up from the previous requirement of around $300k.

Large MSPs who want to remain direct billers must also:

  • Maintain an Advanced Support for Partners (ASfP) or Premier Support plan to ensure they can provide reliable support and meet enterprise-grade standards.
  • Pass operational maturity assessments to demonstrate they can handle billing, provisioning, compliance and support at scale.
  • Hold at least one Solutions Partner designation to prove technical expertise.

New security requirements for CSP partners

Microsoft is raising the bar on security, and every partner, including MSPs, must adapt and comply with the new security requirements to remain an authorized CSP partner. Starting October 1, stricter security posture standards will become mandatory across the CSP Program. One of the main highlights of these updates is the Partner Center secure score. Microsoft now requires partners to maintain a score of 80 or higher to stay compliant.

The secure score reflects how well a partner is protecting its environment as well as its customers’ tenants. The Partner Center secure score is built on measurable actions, each carrying a maximum value between 0 and 20 points. While some of these requirements are mandatory, some are recommended actions. Together, they can help CSP partners not only improve their security posture but also increase their overall score.

Security requirements and points:

  • Enabling MFA for administrative roles on the CSP tenant (Mandatory requirement/20 points)
  • Appointing a security contact within Partner Center (Mandatory requirement/20 points)
  • Enforcing MFA for customer tenant admin roles (Recommended requirement/20 points)
  • Setting Azure subscription spending budgets (Recommended requirement/10 points)
  • Responding to security alerts within 24 hours (Mandatory requirement/10 points)

What this means for MSPs

While the CSP Program updates are significant, they also offer MSPs the chance to reinforce credibility and deepen customer relationships. MSPs who reposition around managed services, security and AI-driven solutions can thrive, while those who only resell licenses may struggle. This is especially true for smaller MSPs. They may lose their direct relationship with Microsoft, pushing them to partner with distributors.

To remain eligible, indirect resellers must generate a minimum of $1,000 in TTM revenue. Many smaller MSPs may no longer qualify for the CSP program, and this higher revenue threshold could mean less margin.

Stricter security requirements and compliance checks will increase operational burden for MSPs, especially those operating with smaller teams. They’ll be forced to either scale quickly to meet the threshold and differentiate their services or transition to an indirect reseller model under a distributor.

How SaaS Alerts helps MSPs stay compliant

Cyber resilience is the key to both revenue and CSP participation. With SaaS Alerts, meeting Microsoft’s new CSP security posture requirements can be easier than you think.

Our industry-leading SaaS security platform can help you:

Boost your Partner Center secure score effortlessly

  • SaaS Alerts closes MFA gaps automatically by continuously monitoring admin roles and customer tenants, ensuring MFA is always enforced where it matters most.
  • It validates and maintains designated security contacts, ensuring they’re properly set and up to date.

Deliver 24/7 threat monitoring and instant response

SaaS Alerts’ always-on protection detects suspicious account activity in real time. Once unusual activities are detected, it alerts your IT technicians immediately, enabling you to meet Microsoft’s strict 24-hour response requirement with ease.

Simplify compliance and reporting

SaaS Alerts generates audit-ready insights to demonstrate compliance and support annual operational reviews.

October 1 marks a major shift for Microsoft CSP partners. MSPs that act now can stay compliant, protect customer tenants more effectively and enhance profitability.

Discover how SaaS Alerts empowers MSPs like you to strengthen Microsoft 365 offerings and stay compliant with confidence. Learn more.

One Complete Platform for IT & Security Management

Kaseya 365 is the all-in-one solution for managing, securing, and automating IT. With seamless integrations across critical IT functions, it simplifies operations, strengthens security, and boosts efficiency.

Get a demo Explore Kaseya 365

How to build a SaaS security stack

Read the blog to learn how to build a robust SaaS security stack to strengthen client protection.

Read blog post

What history teaches us about cybersecurity

Learn how past battles show why cybersecurity needs prevention and response. See how Kaseya 365 Endpoint defends and responds to stop threat actors.

Read blog post

How to reduce cybersecurity spend without increasing risk 

Learn why prevention costs less than recovery. See how Kaseya 365 Endpoint keeps businesses and MSPs secure without breaking the budget.

Read blog post