As an app developer, you can work with analysts in the Microsoft 365 App Compliance team to demonstrate that your application and its supporting infrastructure are qualified to protect the security and privacy of your customers’ sensitive data.
When an app undergoes Microsoft 365 Certification, a third-party assessor validates and assesses the app and its supporting infrastructure. Your app must pass the controls in each of the following security domains to be awarded a certification:
- Application security
- Operational security
- Data handling security and privacy
- Optional external compliance audit review
The application security domain focuses on the following three areas:
- Microsoft Graph API permission validation – Permission validation is carried out to validate that the app/add-in does not request overly permissive permissions; that is, the permissions requested are required for the functionality of the app.
- External connectivity checks – Analyst will perform a walkthrough of the application’s functionality to identify connections outside of Microsoft 365. Any connections that are not identified as being Microsoft or any direct connections to a service will be flagged and discussed during the assessment.
- Application security testing – Application security testing in the form of penetration testing MUST be carried out if the application has any connectivity to any service not published by Microsoft. If the app operates standalone without connectivity to any non-Microsoft service or backend, penetration testing is not required.
For details, see Application security.
This domain measures the alignment of an app’s supporting infrastructure and deployment processes with security best practices. Various controls are assessed in this layer, including malware protection, patch management, vulnerability scanning and firewalls, account management and incident management, and change control.
For details, see Operational security.
Data handling security and privacy
Data in transit between the application user, intermediary services, and app developer’s systems will be required to be protected by encryption through a TLS connection. If an application retrieves and stores customer data, you will be required to implement a data storage encryption scheme that follows the encryption profile configuration requirements. This domain also tests controls like data at rest, data retention and disposal, data access management, and GDPR.
For details, see Data handling security and privacy.
Optional external compliance audit review
If external compliance audit reports are included within the Publisher Attestation, certification analysts will check the validity of those reports as part of the Microsoft 365 Certification assessment. Evidence for these external compliance audit reports can be used in the certification assessment to expedite the process:
For details, see Optional external compliance audit review.
If you have questions, please reach out to firstname.lastname@example.org.
See the following resources to learn more about the Microsoft 365 App Compliance Program:
- Microsoft 365 App Compliance Program
- Microsoft 365 App Compliance Program helps admins in creating a secure app ecosystem – Microsoft Tech Community
- New renewal offering for your app’s Publisher Attestation and Microsoft 365 Certification – Microsoft 365 Developer Blog