Security and data handling practices for third party apps are becoming a greater priority in app development and adoption. With this in mind, ISVs are looking for ways to ensure their apps meet the latest compliance standards. The Microsoft 365 App Compliance Program helps ISVs amplify their compliance story while helping potential customers find and implement their offerings in the marketplace.
The Microsoft 365 App Compliance Program is a two-step approach to app security and compliance. Each tier builds upon the next – offering a layered program to give users the confidence they need while using apps in the Microsoft 365 ecosystem. Apps that complete certification undergo a yearly detailed compliance, security, and data handling review, with no monetary cost to the developer.
The program consists of:
- Publisher Verification
- Attestation
- Microsoft 365 Certification
Publisher Verification proves the authenticity of the app developer while Microsoft 365 Certification tests and reports on the security and data handling practices of an application through attestation and live pen testing.
Dedicated surfaces to show your compliance posture
App publishers participating in the Microsoft 365 App Compliance Program get access to various marketing support tools to help stand out in the marketplace. Certified apps can be identified through dedicated badging and filters in multiple surfaces, including:
- Teams Admin Center
- Teams Store
- AppSource / Microsoft Admin Center
- Office Add-ins Store
- Azure Active Directory
- Microsoft App Compliance Doc Pages
The Microsoft 365 Certification badge
Filters in AppSource
Apps that have completed either publisher attestation or Microsoft 365 Certification receive dedicated Microsoft documentation pages with a detailed overview of their current security posture. The reports cover 7 categories, including:
- General publisher and app information
- Data handling
- Security
- Compliance
- Privacy
- Identity
- Certification controls
Filters in AppSource
Save time and resources on security reviews
Every customer will have unique security and compliance concerns based on industry, client-base, geographic location, and government/regional regulations. While Microsoft 365 Certification cannot validate all specialized security review topics, it can make the process less cumbersome by pre-vetting baseline compliance practices. As pre-sale security and compliance reviews expand in scope and level of detail, the RFP process takes more time and ISVs are having to pull more resources to respond. Microsoft certifying your app can help expedite the sales cycle by providing potential clients an extra level of trust.
“We recently had a huge multinational conglomerate contact us where without the certification in place, it would have taken at least six weeks for us to close. But instead, they purchased in 24-36 hours.”
-Hai Nguyen, CEO at Appfluence
New tools to enhance your Microsoft 365 Certification
As announced at Microsoft Build 2022, the App Compliance Automation Tool for Microsoft 365, or ACAT, is available in public preview on September 22, 2022. Available for apps published in Partner Center that run on Azure, ACAT can fast track certification through detailed view and remediation steps for Microsoft 365 Certification responsibilities, automatic daily reports, and security and compliance best practices that can be used as guidance in the early phase of your application lifecycle. Learn more about ACAT.
Microsoft is dedicated to building a trustworthy app ecosystem. By helping ISVs get certified and share their compliance journey, we hope to increase transparency in the adoption and implementation of third-party applications.
Is it available for AppSource (store) published apps only? What if we use features that don’t allow us publishing add-ins/apps to the store?