According to a recent study, the average organization has over 50% more user accounts than employees, and 30% of these accounts are dead or dormant. These accounts pose a serious security risk, as they can be exploited by hackers or malicious insiders to access sensitive data or disrupt operations. That’s why secure account management is a crucial aspect of app development and integration.

Account management is the process of creating, updating, and deleting user accounts and their permissions on a system or application. Secure account management ensures that only authorized users can access the resources they need, and that malicious actors are prevented from compromising or impersonating legitimate accounts. Secure account management is essential for app developers, as it protects both the app’s functionality and the app’s data from unauthorized access and manipulation.

Account management best practices include using strong authentication mechanisms, such as multi-factor authentication (MFA), to verify the identity of users before granting them access. Enforcing password policies, such as minimum length, complexity, and expiration, to prevent weak or compromised passwords. Implementing role-based access control (RBAC), which assigns permissions to users based on their roles and responsibilities, rather than giving them blanket access to everything.

Microsoft 365 Certification verifies account management best practices

Microsoft 365 Certification validates that apps implement secure account management practices, ensuring that default and service credentials are either disabled or eliminated. Ensuring service accounts are hardened with access restrictions and complex passwords, and that user least-privilege principles are being followed within the app environment.

Auditors will verify the implementation of multi-factor authentication and ensure that access reviews are conducted at designated intervals. Documentation must be supplied to demonstrate that inactive accounts have been deactivated and removed for an application to achieve certification.

Certification shows that apps apply secure account management practices to safeguard against unauthorized access and tampering. This is especially important as a larger number of inactive accounts within the ecosystem can pose significant security risks.

This control set is partially automated using ACAT, The App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.

Next steps

To learn more on how Microsoft 365 Certification validates account management controls are in place for your application, visit the account management evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.