App Compliance Automation Tool for Microsoft 365 launching in public preview
Enterprise governance, risk and compliance teams, and IT Admins want to ensure that applications deployed in their organization’s Microsoft 365 tenant are secure and compliant. And that they meet the leading industry compliance standards (e.g., SOC2, ISO, GDPR etc.). To provide visibility into an application’s security and compliance posture and to increase our customers’ trust in these applications, Microsoft launched the Microsoft 365 App Compliance program. As a part of this program, developers provide information about the security, data handling and compliance attributes of their application which are most important to enterprise customers. This information is then audited against a set of controls derived from leading industry standard frameworks to award the Microsoft 365 certification. This certification gives customers assurance that apps that have received the certification have strong security and compliance practices in place to protect their data, security, and privacy.
Achieving the Microsoft 365 certification involves collecting the required evidence for application, operational and data security controls. This takes a significant amount of time for you, the app developer. To simplify this process, Microsoft is now launching the App Compliance Automation Tool (ACAT) for Microsoft 365 in public preview. ACAT automates ~37% of the Microsoft 365 certification controls, decreasing the time to achieve the Microsoft 365 certification.
What is App Compliance Automation Tool for Microsoft 365?
ACAT is an application-centric compliance automation tool that is deployed as a service in the Azure portal, allowing you to define the compliance boundary for your applications. ACAT enables you to get automated compliance reports and alerts to continuously monitor your application and remediate any compliance failures. And you can download and share these detailed compliance reports with your customers. IT Admins can also leverage these reports to ensure that the application has met the right level of compliance controls before deploying apps into an organization’s Microsoft 365 tenant.
Getting started with App Compliance Automation Tool
ACAT will be available in public preview on November 16, 2022. It will be enabled as service in the Azure portal.
Follow these steps to get started:
- Navigate to All Services in the Azure portal
- Search for the App Compliance Automation Tool for Microsoft 365
- Launch the ACAT tool.
Creating a new compliance report
To create a new compliance report, select Reports from the left navigation menu and click on Create new report. You can add details such as the report name, report daily trigger time, Azure subscription and resource details to specify your application’s compliance boundary.
Viewing compliance results
To view the compliance results, select Reports from the left navigation menu. Click on any compliance report to see its details. To view the controls that failed, you can filter for Customer responsibility = Failed. To fix these controls, click on the specific customer responsibility to open a flyout where you can identify appropriate unhealthy resources and review associated remediation steps.
Sharing compliance results with customers
Once you have fixed all the compliance controls and you are ready to share your compliance report with your customer, click on Download report. Select Microsoft 365 certification compliance assessment summary to get a PDF file of your compliance results.
Dashboard view of compliance reports
You can select Overview from the left navigation menu to see a dashboard view of all compliance reports and their app’s compliance to Microsoft 365 certification controls.
Achieving Microsoft 365 certification
ISV developers can use the ACAT report to automate the evidence collection process for achieving the Microsoft 365 certification, making it much faster and easier. Navigate to Microsoft 365 app compliance and certification workflow in Partner Center and provide a reference to the specific ACAT report. The Microsoft 365 certification team will review the ACAT report submission to award the Microsoft 365 certification badge.
ACAT will be available in public preview on November 16, 2022. If you would like to receive a follow-up closer to the public preview launch, please provide your information here.
We encourage you to try it out and share feedback with us in this form – https://aka.ms/acat/feedback. We appreciate all feedback we receive. It helps us deliver experiences that truly matter to you.
Visit the documentation at http://aka.ms/acat to learn more about how ACAT can help you in your compliance journey and increase your app trust by customers.