On this page

Partner Onboarding

Partner onboarding establishes the technical relationship between your organisation and implementing partners who will access your systems, handle your data, or integrate their platforms with yours. The onboarding process translates partnership agreements into operational IT configurations: accounts provisioned, access scoped appropriately, security requirements communicated, and monitoring established.

This task covers partners who need access to organisational systems or who will handle organisational data. It does not cover vendor relationships (see Vendor Selection and Onboarding) or technical integration work (see Partner System Integration).

Prerequisites

Complete these requirements before beginning partner onboarding:

Prerequisite	Verification	Source
Partnership agreement signed	Legal confirmation of executed agreement	Programme or partnerships team
Partner technology assessment complete	Assessment report with risk rating	Partner Technology Assessment
Data sharing agreement executed	Signed DSA covering data flows	Legal or data protection officer
Named partner IT contact identified	Contact details and authority confirmed	Partner organisation
Budget allocated for partner licences	Cost centre or project code confirmed	Finance
Sponsoring manager identified	Internal owner for partner relationship	Programme team

You need the following information from the partnership agreement and assessment:

Partner organisation legal name and registration
Number of partner staff requiring access
Specific systems and data the partner will access
Duration of partnership (for access expiry configuration)
Geographic locations where partner staff will work
Any elevated access requirements identified during assessment
Risk rating from technology assessment (Low, Medium, High, Critical)

Assessment requirement

Do not proceed with onboarding if the partner technology assessment identified Critical risk without documented executive acceptance of residual risk. High-risk partners require additional security controls configured during onboarding.

Procedure

Phase 1: Prepare onboarding package

Create a partner record in your identity management system. Use a consistent naming convention that distinguishes partners from employees:

   Partner organisation code: PARTNERORG
   Partner user format: ext-PARTNERORG-firstname.lastname
   Partner group format: grp-partner-PARTNERORG
   Partner group for all external users: grp-external-partners

In Microsoft Entra ID, create the partner group:

   # Create partner-specific security group
   New-MgGroup -DisplayName "grp-partner-acme-ngo" `
     -Description "ACME NGO implementing partner - Project Sunrise" `
     -MailEnabled:$false `
     -SecurityEnabled:$true `
     -MailNickname "grp-partner-acme-ngo"

   # Add to umbrella external partners group
   $partnerGroup = Get-MgGroup -Filter "displayName eq 'grp-partner-acme-ngo'"
   $externalGroup = Get-MgGroup -Filter "displayName eq 'grp-external-partners'"
   New-MgGroupMember -GroupId $externalGroup.Id -DirectoryObjectId $partnerGroup.Id

In Keycloak, create the partner group under your partners realm or organisational unit:

   # Using Keycloak admin CLI
   kcadm.sh create groups -r production -s name="partner-acme-ngo" \
     -s attributes.partner_code='["ACME"]' \
     -s attributes.partnership_end='["2025-12-31"]' \
     -s attributes.risk_rating='["Medium"]'

Determine access scope based on partnership requirements and risk rating. Access follows the principle of least privilege: partners receive only the access necessary for their defined role in the partnership.
For a partner with Medium risk rating requiring access to programme data and case management:

   +------------------------------------------------------------------+
   |                    PARTNER ACCESS SCOPE                          |
   +------------------------------------------------------------------+
   |                                                                  |
   |  Partner: ACME NGO          Risk Rating: Medium                  |
   |  Partnership: Project Sunrise    Duration: 24 months             |
   |                                                                  |
   |  +------------------------+    +------------------------+        |
   |  |    GRANTED ACCESS      |    |    EXCLUDED ACCESS     |        |
   |  +------------------------+    +------------------------+        |
   |  |                        |    |                        |        |
   |  | Case management system |    | Finance systems        |        |
   |  | (read + write own)     |    | HR systems             |        |
   |  |                        |    | Admin consoles         |        |
   |  | SharePoint project     |    | Other project sites    |        |
   |  | site (contribute)      |    | Email (full access)    |        |
   |  |                        |    | Global address list    |        |
   |  | Teams channel          |    | Internal Teams         |        |
   |  | (Project Sunrise)      |    |                        |        |
   |  |                        |    |                        |        |
   |  +------------------------+    +------------------------+        |
   |                                                                  |
   +------------------------------------------------------------------+

Document the access scope in your IT service management system, linking to the partnership agreement reference.

Configure conditional access policies for partner access. Partners connecting from outside your managed network require additional verification:
In Microsoft Entra ID conditional access:

   Policy name: CA-Partner-Access-Controls

   Assignments:
     Users: grp-external-partners
     Cloud apps: [Case Management App], [SharePoint], [Teams]
     Conditions:
       Locations: All locations
       Device platforms: All platforms
       Client apps: Browser, Mobile apps and desktop clients

   Access controls:
     Grant: Require MFA
     Session:
       Sign-in frequency: 12 hours
       Persistent browser session: Never

For High-risk partners, add device compliance requirements if the partner uses managed devices, or restrict to web-only access if they do not:

   Policy name: CA-HighRisk-Partner-Controls

   Assignments:
     Users: grp-partner-highrisk-org
     Cloud apps: All cloud apps

   Access controls:
     Grant: Require MFA AND require compliant device
     Session:
       Sign-in frequency: 4 hours

   # If partner devices are unmanaged, create alternative policy:
   Policy name: CA-HighRisk-Partner-WebOnly

   Assignments:
     Users: grp-partner-highrisk-org
     Client apps: Mobile apps and desktop clients

   Access controls:
     Block

Prepare the partner minimum standards document customised for this partnership. The template in the appendix provides the base; modify thresholds based on the partner’s risk rating and your assessment findings.
For a Medium-risk partner, the standards document should specify:
- MFA required for all partner staff accessing your systems
- Password minimum 12 characters where your systems do not enforce this
- Device encryption required on any device accessing organisational data
- Security awareness training completion within 30 days
- Incident notification within 24 hours
- Quarterly access review participation
Save the completed standards document in your partnership folder with the naming convention: PARTNERORG_IT_Standards_YYYY-MM-DD.pdf

Phase 2: Provision partner access

Invite partner users through your identity provider’s B2B collaboration or external identity features. Collect the following for each partner user:
- Full name as it appears on official documents
- Work email address at the partner organisation
- Mobile phone number for MFA registration
- Job title and role in the partnership
- Specific access requirements beyond base partner access
In Microsoft Entra ID, send B2B invitations:

   # Single user invitation
   New-MgInvitation -InvitedUserEmailAddress "j.smith@partner-org.example" `
     -InvitedUserDisplayName "Jane Smith (ACME NGO)" `
     -SendInvitationMessage:$true `
     -InviteRedirectUrl "https://myapps.microsoft.com" `
     -InvitedUserMessageInfo @{
       CustomizedMessageBody = "Welcome to our partnership. Please accept this invitation to access Project Sunrise systems."
     }

   # Batch invitation from CSV
   Import-Csv "partner-users.csv" | ForEach-Object {
     New-MgInvitation -InvitedUserEmailAddress $_.Email `
       -InvitedUserDisplayName "$($_.Name) ($($_.Organisation))" `
       -SendInvitationMessage:$true `
       -InviteRedirectUrl "https://myapps.microsoft.com"
   }

The CSV format for batch invitations:

   Email,Name,Organisation,Role
   j.smith@partner.example,Jane Smith,ACME NGO,Case Worker
   m.jones@partner.example,Michael Jones,ACME NGO,Project Manager

In Keycloak with identity brokering, create partner users linked to their home identity provider if federation is configured, or as local accounts if not:

   # Create partner user
   kcadm.sh create users -r production \
     -s username="ext-acme-jsmith" \
     -s email="j.smith@partner.example" \
     -s firstName="Jane" \
     -s lastName="Smith" \
     -s enabled=true \
     -s "attributes.partner_org=[\"ACME NGO\"]" \
     -s "attributes.access_expiry=[\"2025-12-31\"]"

   # Add to partner group
   USER_ID=$(kcadm.sh get users -r production -q username=ext-acme-jsmith --fields id --format csv | tail -1)
   GROUP_ID=$(kcadm.sh get groups -r production -q name=partner-acme-ngo --fields id --format csv | tail -1)
   kcadm.sh update users/$USER_ID/groups/$GROUP_ID -r production -s realm=production -n

Add partner users to the appropriate groups and assign application access. Access assignment depends on your identity platform and application architecture:

   +------------------------------------------------------------------+
   |                    ACCESS PROVISIONING FLOW                      |
   +------------------------------------------------------------------+
   |                                                                  |
   |  Partner User                                                    |
   |       |                                                          |
   |       v                                                          |
   |  +----+----+                                                     |
   |  | Accept  |                                                     |
   |  | invite  |                                                     |
   |  +----+----+                                                     |
   |       |                                                          |
   |       v                                                          |
   |  +----+----+     +------------------+     +------------------+   |
   |  | Register|---->| Add to partner   |---->| Conditional      |   |
   |  | MFA     |     | security group   |     | access applies   |   |
   |  +---------+     +--------+---------+     +------------------+   |
   |                           |                                      |
   |       +-------------------+-------------------+                  |
   |       |                   |                   |                  |
   |       v                   v                   v                  |
   |  +----+----+        +-----+------+       +-----+-----+           |
   |  | Case    |        | SharePoint |       | Teams     |           |
   |  | Mgmt    |        | Site       |       | Channel   |           |
   |  | App     |        | Access     |       | Access    |           |
   |  +---------+        +------------+       +-----------+           |
   |                                                                  |
   +------------------------------------------------------------------+

For SharePoint site access:

   # Connect to SharePoint
   Connect-PnPOnline -Url "https://contoso.sharepoint.com/sites/ProjectSunrise" -Interactive

   # Add partner group as site members (contribute access)
   Add-PnPGroupMember -LoginName "c:0t.c|tenant|grp-partner-acme-ngo-guid" `
     -Group "Project Sunrise Members"

   # For restricted library access only (not full site):
   Set-PnPListPermission -Identity "Partner Documents" `
     -AddRole "Contribute" `
     -Group "grp-partner-acme-ngo"

For Teams channel access:

   # Add partner group to specific channel, not the entire team
   $team = Get-MgTeam -Filter "displayName eq 'Project Sunrise'"
   $channel = Get-MgTeamChannel -TeamId $team.Id -Filter "displayName eq 'Partner Collaboration'"

   # Note: External users join via channel sharing, not direct group membership
   # Create shareable link for the channel
   New-MgTeamChannelSharedWithTeam -TeamId $team.Id -ChannelId $channel.Id

Configure application-specific access. Most applications beyond Microsoft 365 require separate access configuration even after identity provisioning:
For case management systems (using Primero as an example):

   # Primero role configuration for partner users
   Role.create!(
     name: "Partner Case Worker",
     permissions: {
       case: [:read, :write, :create],
       incident: [:read],
       tracing_request: [:read],
       dashboard: [:view]
     },
     group_permission: "group",  # Can only see cases in their group
     is_manager: false,
     reporting_location_level: 2  # District level only
   )

   # Create partner user group
   UserGroup.create!(
     name: "ACME NGO - Project Sunrise",
     agency_ids: [Agency.find_by(name: "ACME NGO").id]
   )

For data collection platforms (KoboToolbox example):

   # Add partner to project via API
   curl -X POST "https://kf.kobotoolbox.org/api/v2/assets/PROJECT_UID/permission-assignments/" \
     -H "Authorization: Token YOUR_API_TOKEN" \
     -H "Content-Type: application/json" \
     -d '{
       "user": "https://kf.kobotoolbox.org/api/v2/users/partner_user/",
       "permission": "https://kf.kobotoolbox.org/api/v2/permissions/add_submissions/"
     }'

Set access expiry aligned with the partnership duration. All partner accounts should have explicit expiry dates:
In Microsoft Entra ID:

   # Set guest user expiry via access review
   New-MgIdentityGovernanceAccessReviewDefinition `
     -DisplayName "Partner ACME NGO Quarterly Review" `
     -Scope @{
       Query = "/groups/grp-partner-acme-ngo-guid/members"
       QueryType = "MicrosoftGraph"
     } `
     -Reviewers @(
       @{
         Query = "/users/sponsor-manager-guid"
         QueryType = "MicrosoftGraph"
       }
     ) `
     -Settings @{
       MailNotificationsEnabled = $true
       JustificationRequiredOnApproval = $true
       DefaultDecisionEnabled = $true
       DefaultDecision = "Deny"  # Remove access if not reviewed
       InstanceDurationInDays = 14
       Recurrence = @{
         Pattern = @{ Type = "absoluteMonthly"; Interval = 3 }
         Range = @{
           Type = "endDate"
           EndDate = "2025-12-31"  # Partnership end date
         }
       }
     }

In Keycloak, use the access_expiry attribute configured during user creation and implement a scheduled job to disable expired accounts:

   #!/bin/bash
   # partner-expiry-check.sh - run daily via cron

   TODAY=$(date +%Y-%m-%d)

   # Find users with expired access
   kcadm.sh get users -r production -q "attributes.access_expiry<=$TODAY" \
     --fields id,username,attributes | \
   jq -r '.[] | select(.attributes.access_expiry[0] <= "'$TODAY'") | .id' | \
   while read USER_ID; do
     kcadm.sh update users/$USER_ID -r production -s enabled=false
     echo "Disabled expired partner user: $USER_ID"
   done

Phase 3: Communicate requirements and provide training

Send the partner minimum standards document to the partner IT contact with a formal cover communication. The cover email should:
- Reference the partnership agreement
- Attach the customised standards document
- Request written acknowledgment within 14 days
- Identify the internal sponsor and IT contact for questions
- Include the security incident notification email address
Template cover email:

   Subject: IT Security Standards - [Partnership Name]

   Dear [Partner IT Contact],

   Following the execution of our partnership agreement for [Project Name],
   please find attached the IT security standards that apply to your
   organisation's access to our systems and handling of our data.

   These standards reflect the requirements identified during our technology
   assessment and are proportionate to the access level and data sensitivity
   involved in this partnership.

   Please review these standards with your technical team and return the
   signed acknowledgment page within 14 days. The acknowledgment confirms
   your organisation understands and will implement these requirements.

   Key dates:
   - Standards acknowledgment due: [Date + 14 days]
   - User access activation: Upon acknowledgment receipt
   - Security awareness training deadline: [Date + 30 days]

   Your primary contacts are:
   - Partnership sponsor: [Name, email]
   - IT support: [Name, email, phone]
   - Security incidents: security-incidents@example.org

   Please contact me if you have questions about any requirement.

   Regards,
   [Your name]

Schedule orientation sessions for partner users. Cover the following topics in a 60-90 minute session:
- System access methods (URLs, apps, authentication)
- MFA registration and use
- Password requirements and management
- Data handling expectations
- Acceptable use summary
- Incident reporting procedures
- Support contact methods
Provide written quick-reference materials covering:

   +-------------------------------------------------------------------+
   |                    PARTNER QUICK REFERENCE                        |
   +-------------------------------------------------------------------+
   |                                                                   |
   |  ACCESS URLS                                                      |
   |  ---------------------------------------------------------------- |
   |  Portal:     https://myapps.microsoft.com                         |
   |  SharePoint: https://contoso.sharepoint.com/sites/ProjectSunrise  |
   |  Case Mgmt:  https://cases.example.org                            |
   |                                                                   |
   |  SUPPORT                                                          |
   |  ---------------------------------------------------------------- |
   |  Email:      it-support@example.org                               |
   |  Hours:      Monday-Friday 08:00-18:00 UTC                        |
   |  Response:   Within 4 business hours                              |
   |                                                                   |
   |  SECURITY INCIDENTS                                               |
   |  ---------------------------------------------------------------- |
   |  Email:      security-incidents@example.org                       |
   |  Phone:      +44 xxx xxx xxxx (24/7 for critical incidents)       |
   |  Report:     Suspicious emails, unauthorised access, data loss    |
   |                                                                   |
   |  YOUR RESPONSIBILITIES                                            |
   |  ---------------------------------------------------------------- |
   |  - Complete MFA registration before first access                  |
   |  - Complete security awareness training within 30 days            |
   |  - Report security incidents within 24 hours                      |
   |  - Do not share credentials or forward access invitations         |
   |  - Do not download data to personal devices                       |
   |                                                                   |
   +-------------------------------------------------------------------+

Verify partner users complete MFA registration. Users cannot access systems until MFA is configured. Track registration status:
In Microsoft Entra ID:

   # Check MFA registration status for partner group
   $partnerGroup = Get-MgGroup -Filter "displayName eq 'grp-partner-acme-ngo'"
   $members = Get-MgGroupMember -GroupId $partnerGroup.Id -All

   $members | ForEach-Object {
     $user = Get-MgUser -UserId $_.Id -Property DisplayName,UserPrincipalName
     $authMethods = Get-MgUserAuthenticationMethod -UserId $_.Id

     [PSCustomObject]@{
       Name = $user.DisplayName
       Email = $user.UserPrincipalName
       MFARegistered = ($authMethods.Count -gt 1)  # Password + at least one other
       Methods = ($authMethods | ForEach-Object { $_.AdditionalProperties.'@odata.type'.Split('.')[-1] }) -join ', '
     }
   } | Format-Table -AutoSize

Expected output showing registration status:

   Name                    Email                        MFARegistered Methods
   ----                    -----                        ------------- -------
   Jane Smith (ACME NGO)   j.smith_partner.example#EXT  True          passwordAuthenticationMethod, microsoftAuthenticatorAuthenticationMethod
   Michael Jones (ACME NGO) m.jones_partner.example#EXT False         passwordAuthenticationMethod

Follow up with unregistered users. If a user has not registered MFA within 7 days of invitation acceptance, contact the partner IT contact.

Track security awareness training completion. If your organisation uses a training platform, enrol partner users:

   # Example: Adding partner users to KnowBe4 training campaign
   # Export partner users to CSV for import

   # Using Microsoft Graph
   Get-MgGroupMember -GroupId $partnerGroup.Id -All | ForEach-Object {
     $user = Get-MgUser -UserId $_.Id -Property DisplayName,Mail
     [PSCustomObject]@{
       email = $user.Mail
       first_name = $user.DisplayName.Split(' ')[0]
       last_name = $user.DisplayName.Split(' ')[-1] -replace '\(.*\)',''
       groups = "Partner - ACME NGO"
     }
   } | Export-Csv -Path "partner-training-import.csv" -NoTypeInformation

If you do not use a training platform, provide self-service training materials and require signed attestation of completion.

Phase 4: Establish ongoing monitoring

Configure audit logging for partner access. Ensure you can answer: what did partner users access, when, and from where?
In Microsoft 365, partner access is logged in the unified audit log. Create a saved search for partner activity:

   # Search partner user activity
   Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
     -UserIds "*#EXT#*" `
     -ResultSize 1000 |
   Select-Object CreationDate, UserIds, Operations, AuditData |
   Export-Csv "partner-audit-7days.csv" -NoTypeInformation

For ongoing monitoring, configure an alert policy:

   # Create alert for unusual partner activity
   New-ProtectionAlert -Name "Partner User - Unusual Download Volume" `
     -Category DataLossPrevention `
     -NotifyUser "security-team@example.org" `
     -ThreatType Activity `
     -Operation FileDownloaded `
     -Description "Alert when partner users download more than 50 files in 24 hours" `
     -Severity Medium `
     -Threshold 50 `
     -TimeWindow 1440 `
     -Condition "UserType -eq 'Guest'"

Add the partner to your access review schedule. Quarterly reviews are appropriate for most partnerships; monthly reviews for High-risk partners:

Risk Rating	Review Frequency	Reviewer	Auto-Revoke
Low	Every 6 months	Sponsoring manager	After 30 days non-response
Medium	Quarterly	Sponsoring manager	After 14 days non-response
High	Monthly	Sponsoring manager + IT security	After 7 days non-response
Critical	Monthly	IT security + senior leadership	Immediately

Document the partner relationship in your configuration management database or IT documentation system:

   # Partner record structure
   partner:
     name: "ACME NGO"
     code: "ACME"
     partnership:
       name: "Project Sunrise"
       agreement_ref: "PA-2024-0042"
       start_date: "2024-01-15"
       end_date: "2025-12-31"
       sponsor: "Sarah Johnson"
     risk:
       rating: "Medium"
       assessment_date: "2024-01-08"
       assessment_ref: "PTA-2024-0015"
     access:
       identity_group: "grp-partner-acme-ngo"
       systems:
         - name: "Case Management"
           access_level: "Case Worker"
         - name: "SharePoint"
           site: "ProjectSunrise"
           access_level: "Contribute"
         - name: "Teams"
           channel: "Partner Collaboration"
       user_count: 12
       review_schedule: "Quarterly"
     contacts:
       it_primary: "tech@partner.example"
       it_secondary: "backup-tech@partner.example"
     standards:
       document: "ACME_IT_Standards_2024-01-15.pdf"
       acknowledged: "2024-01-22"
       acknowledged_by: "Partner IT Manager"

Schedule periodic check-ins with the partner IT contact. These need not be formal meetings; a brief email exchange quarterly confirms:
- Current user list remains accurate
- No access issues experienced
- No security incidents to report
- Any changes in partner IT infrastructure relevant to the partnership

Verification

Confirm successful partner onboarding by verifying:

Access functionality:

# Verify partner users can authenticate
# Ask one partner user to sign in and capture sign-in logs

Get-MgAuditLogSignIn -Filter "userId eq 'partner-user-guid' and status/errorCode eq 0" -Top 5 |
  Select-Object CreatedDateTime, AppDisplayName, DeviceDetail, Location

Expected output shows successful sign-in:

CreatedDateTime      AppDisplayName    DeviceDetail                Location
---------------      --------------    ------------                --------
2024-01-22T14:32:00  Office 365        @{browser=Chrome; os=Win}   @{city=Nairobi}

Conditional access application:

# Verify conditional access policies applied
Get-MgAuditLogSignIn -Filter "userId eq 'partner-user-guid'" -Top 1 |
  Select-Object -ExpandProperty ConditionalAccessPolicies

# Expected: CA-Partner-Access-Controls shows "success" (policy applied, access granted)
# If MFA not completed: "failure" (policy applied, access blocked)

Group membership:

# Verify user is in correct groups
$user = Get-MgUser -Filter "mail eq 'j.smith@partner.example'"
Get-MgUserMemberOf -UserId $user.Id |
  Select-Object -ExpandProperty AdditionalProperties |
  Where-Object { $_.'@odata.type' -eq '#microsoft.graph.group' } |
  ForEach-Object { $_.displayName }

# Expected: grp-partner-acme-ngo, grp-external-partners

Standards acknowledgment:

Confirm receipt of signed standards acknowledgment document in partnership folder.

Training enrolment:

Verify partner users appear in security awareness training roster with appropriate completion deadline.

Troubleshooting

Symptom	Cause	Resolution
Partner user cannot accept invitation	Email delivered to spam or blocked	Request partner whitelist your tenant domain; resend invitation
Invitation acceptance fails with “account exists”	Partner email already registered as Microsoft account	User must sign in with existing Microsoft account, not create new one
User accepted invitation but cannot access applications	Not added to partner security group	Add user to grp-partner-PARTNERORG; wait 15 minutes for propagation
”You cannot access this application” error	Conditional access blocking due to unregistered MFA	User must complete MFA registration at aka.ms/mfasetup
MFA registration loops or fails	Corrupted registration state	Delete user’s existing auth methods: `Remove-MgUserAuthenticationMethod -UserId X -AuthenticationMethodId Y`
Partner can see other projects in SharePoint	Inherited permissions from site collection	Use unique permissions on site; break inheritance
Partner cannot find shared Teams channel	Channel sharing not completed	Complete channel sharing workflow; may require channel owner action
Application shows “access denied” after successful auth	Application-level permissions not configured	Configure role/group assignment in the specific application
Partner reports slow access from their location	Geographic latency to your cloud region	Consider whether partnership justifies regional configuration; document known limitation
Guest user creation blocked by policy	Tenant policy restricts guest invitations	Request security team enable guest access for your admin account or specific partner domain
Partner user disabled unexpectedly	Automated expiry or failed access review	Check access review results and expiry attributes; re-enable if appropriate
Partner cannot access files marked sensitive	Information protection policy blocking external access	Review sensitivity labels applied; consider partner-specific label exception
Partner receives excessive MFA prompts	Session lifetime too short in conditional access	Review session controls; extend sign-in frequency for trusted partners
Training platform rejects partner email	Domain not in allowed list	Add partner email domain to training platform; may require support ticket
Audit logs show no partner activity	Wrong filter or user identifier	Use guest user format in filter: `username_domain.com#EXT#@yourtenant.onmicrosoft.com`

Partner Minimum Standards Template

The following template establishes baseline IT security requirements for implementing partners. Customise thresholds based on risk rating and specific partnership requirements.

IT Security Standards for Implementing Partners

Partnership: [Partnership name] Partner organisation: [Partner legal name] Effective date: [Date] Review date: [Date + 12 months]

Access Management

1.1. Partner staff accessing [Organisation] systems must use individual accounts. Shared accounts are prohibited.

1.2. All access requires multi-factor authentication (MFA). Acceptable MFA methods: authenticator app, hardware security key. SMS-based MFA is not accepted for High-risk partnerships.

1.3. Passwords must be at least 12 characters where [Organisation] systems do not enforce minimum length.

1.4. Partner staff must not share credentials or authentication factors.

1.5. Partner organisation must notify [Organisation] within 24 hours when a user no longer requires access (departure, role change).

Device Security

2.1. Devices accessing [Organisation] systems must use full-disk encryption (BitLocker, FileVault, or equivalent).

2.2. Devices must run supported operating systems with security updates applied within 30 days of release.

2.3. Devices must run endpoint protection software with current definitions.

2.4. For High-risk partnerships: Device compliance may be verified via [Organisation] mobile device management enrolment.

Data Handling

3.1. Data accessed through [Organisation] systems must not be downloaded to personal devices unless specifically authorised in the data sharing agreement.

3.2. Data must not be transferred to third parties without written authorisation from [Organisation].

3.3. Partner organisation must maintain data handling records sufficient to demonstrate compliance with data sharing agreement.

3.4. At partnership conclusion, Partner must securely delete all [Organisation] data within 30 days and certify deletion in writing.

Security Awareness

4.1. Partner staff with access to [Organisation] systems must complete security awareness training within 30 days of receiving access.

4.2. Partner organisation must provide annual security awareness refresher training to all staff with access.

Incident Notification

5.1. Partner must notify [Organisation] security team within 24 hours of discovering any security incident that may affect [Organisation] data or system access, including:

Suspected or confirmed unauthorised access
Malware infection on devices with access to [Organisation] systems
Loss or theft of devices with access to [Organisation] systems
Partner staff credentials compromised

5.2. Security incident notifications: security-incidents@example.org

Compliance Verification

6.1. Partner agrees to participate in quarterly access reviews, confirming current user list and access requirements.

6.2. [Organisation] may request evidence of compliance with these standards. Partner agrees to respond to such requests within 14 days.

6.3. For High-risk partnerships: [Organisation] may conduct or commission security assessments of Partner’s systems and practices with 30 days notice.

Acknowledgment

By signing below, Partner organisation acknowledges receipt and understanding of these IT security standards and commits to implementing them for the duration of the partnership.


Partner organisation:	________________________________
Authorised signatory name:	________________________________
Title:	________________________________
Signature:	________________________________
Date:	________________________________