Microsoft has issued a final reminder: starting April 1, 2026, multifactor authentication (MFA) will be enforced across all Partner Center app+user APIs. Any API calls made without MFA after that date will be blocked.

This is not a soft warning. If your systems are not updated, expect service disruptions.

What Is Changing?

All app+user API calls to Partner Center must include a valid MFA claim. Requests without one will receive:

- HTTP 401 response code
- Error code 900421

Microsoft is already enforcing this for sandbox tenants, and all APIs are MFA-enabled and available for testing right now.

Why This Matters

This enforcement follows the MFA requirements Microsoft implemented in September 2025 for the Partner Center portal. It extends those same protections to API access — closing a significant gap in the security chain.

According to Microsoft, MFA protects against 99% of identity-based attacks. For partners handling customer data and managing subscriptions through APIs, this is a critical layer of defence.

What You Need to Do Before April 1

  1. Review MFA requirements — Understand the supported MFA options for Partner Center.
  2. Update your integrations — Ensure all app+user API calls send a valid MFA token.
  3. Validate your setup — Use Microsoft's guide to confirm your API calls include MFA.
  4. Test now — All APIs are already MFA-enabled. Don't wait until enforcement day to find out something is broken.

The Bottom Line

If you're a CSP partner, distributor, or anyone integrating with Partner Center APIs — this is your deadline. April 1 is not a drill. Get your MFA sorted now, or prepare for blocked calls and unhappy customers.

For full details, see Microsoft's official announcement.