Data access management ensures only authorized users and applications can securely access sensitive data. Restricting access to minimize risk. Only users with a legitimate business need should have access to sensitive data and encryption keys.

Microsoft 365 Certification confirms that ISVs have established a documented process for access requests, following the principles of least privilege, and have a clearly defined access request procedure for their apps.

Certification auditors will verify that ISVs maintain a list of individuals with access to data and/or encryption keys. The list should provide business justification for each individual and include a formal approval process that aligns access privileges with job functions.

The procedure for granting access to data or encryption keys should require approval to confirm that access is essential for an individual’s job responsibilities. This prevents employees without a legitimate reason from gaining access.

When utilizing third parties for the storage or processing of Microsoft 365 data, these entities can represent significant risk factors. Certification requires ISVs to institute a comprehensive due diligence and management process to ensure that third parties are securely storing or processing data and will comply with any legal obligations, such as those required of data processors under GDPR.

ISVs should maintain a detailed record of all third parties with whom they share data to support their applications. This record should include the services provided, the data shared, the reasons for sharing the data, key contact information including a breach notification contact, contract renewal or expiration dates, and legal or compliance obligations such as GDPR, HIPAA, and FedRAMP. Data sharing agreements will be reviewed to ensure that third parties are processing data only as needed and that they understand their security obligations.

Next steps

To learn how Microsoft 365 Certification validates your application uses the most up to date controls for data access management , visit the Microsoft 365 Certification data at rest control evidence requirements.

To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.