Here in our Microsoft 365 App Compliance Team, the focus is to protect our customers’ data by creating a trusted ecosystem of secure and compliant apps. Our program also helps customers like you to distinguish and filter out apps, based on their own risk tolerance.
The Microsoft 365 App Compliance Program consists of 3 tiers:
- Publisher Verification helps admins and users understand the authenticity of app developers integrating with the Microsoft identity platform.
- Publisher Attestation is where developers share general, data handling, security and compliance information about their app service.
- Microsoft 365 Certification offers assurance and confidence to organizations that data and privacy are adequately secured and protected when using Microsoft Teams, Outlook, Office Add-ins, SharePoint Add-ins, OneNote and Project apps.
Check out our previous blog to learn how these tiers benefit you.
What do we do?
Our program is designed to provide assurance to organizations and enterprise IT admins like you, that when your data interacts with a certified application, that application has undergone a security and privacy review. Microsoft 365 Certification requires a thorough assessment of an app and its underlying infrastructure against a series of security controls. This involves validating a variety of things such as updated antimalware signatures, proper data encryption at rest and in-transit, and many more. All controls span four domains:
- Application Security
- Operational Security / Secure Deployment
- Data Handling Security and Privacy
- Optional External Compliance Frameworks
In the Certification tier of the program, we verify the evidence and documentation provided, and attest to its completeness and accuracy prior to awarding a certification.
How does this help you?
This program provides you with the capability to identify trust-worthy apps as we make visible the following app information through AppSource and Microsoft Docs:
- Information about the app’s security, privacy, and data handling practices
- Customer reviews and compliance information in AppSource
- Consent screens and Certification status of an app
Example of Microsoft 365 Certification badge in Microsoft docs
Example of Microsoft 365 certification badge in AppSource
Example of MCAS report on security, compliance and legal practices followed by the app.
You can find more examples here.
This valuable app information provides rich insights and empowers you to make timely and knowledgeable decisions.
And that is not all. We have now expanded the scope of our program from Teams apps to include Outlook, Office Add-ins, SharePoint Add-ins, OneNote and Project. That means more application options for you to choose from.
Some new apps who have undergone Publisher Attestation and/or Microsoft 365 Certification are HeyTaco!, Coco, Klaxoon, SheetGo, SalesTim.
As customer’s data security is of utmost importance to us, we strive to build and grow our program. While doing so, we are working on standardizing the process for annual re-certification of apps. Identifying significant app updates that call for a re-certification is another milestone we plan to achieve.
If you have questions about our program, please reach out to appcert@microsoft.com.
and learn about best practices directly from the product teams.