Επεξεργασία

Κοινή χρήση μέσω


Know about app compliance program for security, data handling, and privacy

Microsoft 365 app compliance program checks and audits an app against controls that are derived from leading industry-standard frameworks. The program demonstrates that strong security and compliance practices are in place to protect customer data. The program has the following phases:

Publisher verification

Before an app developer can submit their app to Microsoft, the developer is required to undergo a verification. A developer verifies their identity using their Microsoft Partner Network (MPN) account and associates this MPN account with their app registration. Publisher verification helps admins and users understand the authenticity of application developers. Publisher verification provides the following benefits:

  • Increased transparency and risk reduction for customers - this capability helps customers understand which apps being used in their organizations are published by developers they trust.
  • Improved branding - a verified badge appears on the Microsoft Entra consent prompt, Enterprise Apps page, and other user interfaces used by users and admins.
  • Smoother enterprise adoption - admins can configure user consent policies, with publisher verification status as a primary policy criteria.

Publisher attestation

Publisher attestation is the next tier in the app compliance program. Publisher attested apps provide confidence to admins about security and compliance measures of an app. It also helps reduce the time to review this information for an app. The attestation reflects an app's security, data handling, and compliance practices against more than 80 risk factors identified by Microsoft Defender for Cloud Apps. Publisher attestation process can start before Publisher verification is complete.

App developers are asked to complete a self-assessment that includes questions frequently asked by customers and IT admins to evaluate the security and compliance of an app. Microsoft then publishes this information for easier and more timely evaluation. To know more, see Attestation guide.

Admins can quickly check for Published attested apps in three different ways.

  • When gathering more information about an app, see the details of a specific app at its link at Microsoft Teams apps security and compliance. Alternately, select the Publisher attestation link in Teams admin center.

    In Teams admin center, select the Publisher attestation link to view details of the attestation of an app.

  • In Teams admin center, when checking the details of an app from the Manage App page, see the publisher attested icon on the banner in the app's detail page.

    In Teams admin center, Publisher attested icon is displayed on all attested apps.

  • In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.

    In Teams admin center, on the dialog to grant permissions, the blue checkmark indicates publisher attested app.

The attestation details page for an attested or certified app lists the following details.

Detailed information provided for attested apps.

Microsoft 365 certification

App certification is achieved through:

  • Approval of a comprehensive assessment centering on an app's security and compliance frameworks, processes, and procedures.
  • A qualified analyst's review.

We check the app against a series of security controls derived from leading industry-standard frameworks. Developers demonstrate following strong security and compliance practices to protect customer data when their app is used in an organization. More information about how admins and users benefit from the certification is available at Overview of Microsoft 365 app compliance program.

Administrators can find Microsoft 365 certified apps and information about such apps in the following ways:

  • When evaluating an app, you can access app's security and compliance information and in some cases detailed evidences for this information. Developers provide answers to a questionnaire as part of their Teams app's security and compliance information for Publisher Attestation and for Microsoft 365 certification.

    View the Microsoft 365 certification information in the detailed help article about security and compliance of an app

    Developers of some Microsoft 365 certified apps and Copilot agents can choose to provide detailed evidences to help your organization quickly assess their app. Developers submit these comprehensive details as part of the audits done during certification. If developers agree to share these detailed evidence, then you can download these app trust evidences from the app details page in the Teams admin center. The download option is available only in commercial tenants.

    Screenshot showing the option to download detailed evidence provided by developers of certified apps.

  • When checking an application in Teams admin center, sort the list of apps using the Certification column. See the shield icon and optionally, select the link to access the app-specific page.

    View Microsoft 365 certification status of an app in the Teams admin center.

  • When viewing the details of an app, see the Microsoft 365 certified icon in the app banner.

    View Microsoft 365 certification information in the app banner when managing a specific app in Teams admin center

  • In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.

    In Teams admin center, on the dialog to grant permissions, admins can check the blue checkmark to be assured that the app is Microsoft 365 certified

View security, compliance, and privacy information

You can find information about security, privacy, compliance and behaviors for an attested or certified app in Microsoft documentation and Teams admin center.

Microsoft documentation

You can find the details about security, privacy, compliance, and more for each app listed it the app-specific help articles linked from Microsoft Teams apps security and compliance.

Detailed information that is provided for apps that undergo Microsoft compliance program.

Teams admin center

When evaluating an app, you can use independent Cloud Access Security Brokers (CASB), such as Microsoft Defender for Cloud Apps, to find information about security and behaviors of an app. The Teams admin center includes security and compliance information from Defender for Cloud Apps for Microsoft 365 Certified apps. Check this information in the app details page, to verify if the app meets your security needs.

Note

This feature is available to all admins, whether or not your organization has a license that supports Defender for Cloud Apps.

To access Defender for Cloud Apps information for an app:

  1. Sign in to the Teams admin center and access Teams apps > Manage apps.

  2. Select Certification to sort apps and push all Microsoft 365 Certified apps to the top of the table.

  3. Choose a Microsoft 365 Certified app.

  4. Select the Security and compliance tab.

    Screenshot of Teams admin center security and compliance tab.

    To get more details on the supported capabilities for the app, select the dropdown list for each category.

View privacy policy and terms of use of an app

In Teams admin center, each app page links to the privacy statement and terms of use of the app.

From Teams admin center, admins can access the link to the privacy policy and terms of use for every app.