Microsoft 365 App Compliance Program overview

The Microsoft 365 App Compliance Program builds trust in the apps and add-ins customers use within Microsoft 365. Independent Software Vendors (ISVs) can prove their application's security and compliance by undergoing Publisher Attestation, Microsoft 365 Certification, or by utilizing ACAT: the App Compliance Automation Tool in Azure.

To help customers find and deploy secure applications for their organizations, Microsoft 365 Certified and Publisher Attested apps are showcased across Microsoft 365 storefronts and admin pages with specialized badging, filters, and consent prompts. Certified and attested apps receive dedicated pages in this documentation set providing information to help expedite security and compliance reviews and shorten sales cycles.

"Find the Microsoft 365 Certification badge wherever you find Microsoft 365 apps and add-ins"

Publisher Attestation

ISVs may complete a self-assessment of their app's security, data handling, and compliance practices. The information provided will be published in a dedicated page within this documentation set (see find compliant apps) and throughout the Microsoft 365 ecosystem to share with potential customers.

Program benefits include:

  • Increased transparency for potential customers to speed up app adoption.
  • Specialized badging and filters to stand out in Microsoft 365 storefronts and admin centers.
  • Most attestations can be completed in one hour or less. (Depending on app framework)

ACAT

The App Compliance Automation Tool (ACAT) for Microsoft 365 is a service in Azure portal that helps automate security and compliance apps that consume Microsoft 365 customer data and are published in Partner Center. ACAT can shorten Microsoft 365 Certification by automating some of the required. Currently in public preview, ACAT is only available for apps running on Azure.

In addition to providing a faster track to Microsoft 365 Certification, ACAT can help in various compliance scenarios for Microsoft 365 applications:

  • Detailed view and remediation steps for Microsoft 365 Certification responsibilities.
  • Automatic daily reports to help you monitor app compliance continuously.
  • Security and compliance best-practice guidance to help build trustworthy apps.

Microsoft 365 Certification

Apps are put through an independent audit of their security and compliance frameworks. Certified apps complete yearly penetration testing and reviews of data-handling, privacy, and security attributes. Microsoft 365 Certification is recommended for apps that have high governance needs or call from Microsoft Graph. Certification may be a pre-requisite for enablement in the Microsoft tenant in certain instances.

Apps will be vetted against a series of security controls derived from leading industry standard frameworks such as SOC 2, PCI DSS, and ISO 27001. Certification is assessed across the following three domains:

Note

The Microsoft 365 Certification, ACAT, and Publisher attestation applies to apps that integrate with the following Microsoft products:

Teams, Word, Excel, PowerPoint, Outlook, SharePoint, Project, OneNote, Webapps (SaaS apps published through commercial marketplace in Partner Center are currently in a private preview, if you're interested in participating please fill out this form.

NEW FEATURE

Microsoft 365 Certification has partnered with Teams and Microsoft Admin Portals to expedite the review of applications by providing more evidence of compliance. App developers can now mark pieces of evidence to share with IT Admins. Microsoft will be the broker of this information but control of sharing documentation will be with the developers.

Get started: