The App Compliance Automation Tool (ACAT) in Azure helps to simplify the compliance journey for any app that consumes Microsoft 365 customer data and is published via Partner Center.

Natively integrated into the Microsoft 365 Certification framework, ACAT shows customers an app has been vetted against controls derived from leading industry standards, and that strong security and compliance practices are in place to protect customer data.

Define the compliance boundary for your Microsoft 365 application on Azure and AWS

ACAT enables developers to quickly define the compliance boundary for their applications, automatically monitor compliance results, and streamline the completion of compliance audits. The compliance boundary encompasses the cloud infrastructure that supports the app’s delivery and any backend systems with which the app may communicate. ACAT is available in public preview for applications running on Azure, AWS, or a hybrid configuration.

Daily refreshed automated control assessments and automated evidence collection as needed

ACAT automatically collects compliance data and generates control assessments. From the ACAT dashboard in Azure click View > Microsoft 365 Certification. Any non-compliant resources can be addressed by implementing the recommended solutions or by providing supplementary compliance evidence to demonstrate an internal solution that mitigates the specific security control.

In addition to automated compliance assessments, if ACAT identifies supported resource types from your compliance report definition, it can simplify the evidence collection process. This facilitates the preparation of necessary evidence for security audits and enhances the efficiency of review discussions. For unsupported resource types, there is the option to manually upload compliance evidence from other sources.

Alternatively, you can disregard ACAT recommended solutions and opt for your own solution to meet compliance needs by uploading evidence manually in ACAT or in Partner Center. For more information, see the current control automation. Our product team continues to enhance these features so please check back for future updates.

Team collaboration with your partners

ACAT is a free service in Azure. If partners or team members do not have access to the Azure portal, there are a number of compliance reports available to download for offline collaboration. Including analyst edition reports from the reviewer perspective and resources lists describing the app’s cloud infrastructure.

Keep your application compliant continuously

ACAT automatically updates control assessments daily and collects new evidence as needed to help maintain continuous compliance. It also identifies compliance risks in the early stage of the application lifecycle to avoid last minute changes after production. ACAT also integrates with your existing CI/CD pipeline or notification system (via Webhook) to ensure your application is compliant with your own automated system.

Native integration with Microsoft 365 Certification

ACAT is natively integrated into the Microsoft 365 Certification review process as an optional automation tool. The ACAT compliance report can easily be selected as evidence throughout the review process. ACAT automatically gathers control assessments, all evidence collected by the tool, and all manually uploaded evidence for further review.

Next steps

Create your first compliance report in Azure:

Search ACAT

Select Reports > Create new report

To learn more about ACAT, visit the ACAT overview.

Follow us on X (Twitter) / @Microsoft365Dev, LinkedIn, and subscribe to our YouTube channel to stay up to date on the latest developer news and announcements.