Microsoft 365 Certification is here to ease your concerns about data security while using 3P Apps
Published Jul 07 2021 10:00 AM 3,523 Views



Microsoft 365 App Compliance Program is designed to provide assurance to organizations and enterprise IT admins like you, that when your data interacts with a certified application, that application has undergone a security and privacy review. Microsoft 365 Certification requires a thorough assessment of an app and its underlying infrastructure against a series of security controls under these security domains:  

  • Application Security  
  • Operational Security 
  • Data Handling Security and Privacy  
  • Optional External Compliance Audit Review 


When an app undergoes Microsoft 365 Certification, a third-party assessor validates and assesses the app and its supporting infrastructure. An ISV must pass the controls in each of the following security domains to be awarded a certification: 


1. Application Security:
The application security domain focuses upon the following three areas:

  • GraphAPI Permission Validation - GraphAPI permission validation is carried out to validate that the app/add-in does not request overly permissive permissions and the analyst ensures that the permissions requested are essential for the functionality of the app.
  • External Connectivity Checks - Analyst will perform a walkthrough of the applications functionality to identify connections outside of Microsoft 365. Any connections which are not identified as being Microsoft or any direct connections to a service will be flagged and discussed during the assessment.
  • Application Security Testing - Application security testing in the form of penetration testing MUST be carried out if the application has any connectivity to any service not published by Microsoft. If the app operates standalone without connectivity to any non-Microsoft service or backend, then penetration testing is not required. 
    Learn More!

2. Operations Security:
This domain measures the alignment of an app's supporting infrastructure and deployment processes with security best practices. There are various controls assessed in this layer like malware protection, patch management, vulnerability scanning and firewalls, account management and incident management, and change control to name a few.
Learn More!

3. Data Handling Security and Privacy:
Data in transit between the application user, intermediary services, and app developer's systems will be required to be protected by encryption through a TLS connection. If an application retrieves and stores customer data, the app developer will be required to implement a data storage encryption scheme that follows the specification as defined Here. This domain also tests controls like data at rest, data retention and disposal, data access management and GDPR.
Learn More!


4. Optional External Compliance Audit Review
If external compliance audit reports have been included within the Publisher Attestation, certification analysts will check the validity of those reports as part of the Microsoft 365 Certification assessment. Evidence for these following external compliance audit reports can be leveraged in the certification assessment:

If you have questions, please reach out to


See the following resources to learn more about the Microsoft 365 App Compliance Program:

Version history
Last update:
‎Jul 07 2021 12:22 PM
Updated by: