Publisher verification

Publisher verification gives app users and organization admins information about the authenticity of the developer's organization, who publishes an app that integrates with the Microsoft identity platform.

An app that's publisher verified means that the app's publisher (app developer) has verified the authenticity of their organization with Microsoft. Verifying an app includes using a Microsoft Partner Network (MPN) account that's been verified and associating the MPN account with an app registration.

When the publisher of an app has been verified, a blue verified badge appears in the Azure Active Directory (Azure AD) consent prompt for the app and on other webpages:

Screenshot that shows an example of a Microsoft app consent prompt.

The following video describes the process:

Publisher verification primarily is for developers who build multitenant apps that use OAuth 2.0 and OpenID Connect with the Microsoft identity platform. These types of apps can sign in a user by using OpenID Connect, or they can use OAuth 2.0 to request access to data by using APIs like Microsoft Graph.

Benefits

Publisher verification for an app has the following benefits:

  • Increased transparency and risk reduction for customers. Publisher verification helps customers identify apps that are published by developers they trust to reduce risk in the organization.

  • Improved branding. A blue verified badge appears in the Azure AD app consent prompt, on the enterprise apps page, and in other app elements that users and admins see.

  • Smoother enterprise adoption. Organization admins can configure user consent policies that include publisher verification status as primary policy criteria.

Note

Beginning November 2020, if risk-based step-up consent is enabled, users can't consent to most newly registered multitenant apps that aren't publisher verified. The policy applies to apps that were registered after November 8, 2020, which use OAuth 2.0 to request permissions that extend beyond the basic sign-in and read user profile, and which request consent from users in tenants that aren't the tenant where the app is registered. In this scenario, a warning appears on the consent screen. The warning informs the user that the app was created by an unverified publisher and that the app is risky to download or install.

Requirements

App developers must meet a few requirements to complete the publisher verification process. Many Microsoft partners will have already satisfied these requirements.

  • The developer must have an MPN ID for a valid Microsoft Partner Network account that has completed the verification process. The MPN account must be the partner global account (PGA) for the developer's organization.

    Note

    The MPN account you use for publisher verification can't be your partner location MPN ID. Currently, location MPN IDs aren't supported for the publisher verification process.

  • The app that's to be publisher verified must be registered by using an Azure AD work or school account. Apps that are registered by using a Microsoft account can't be publisher verified.

  • The Azure AD tenant where the app is registered must be associated with the PGA. If the tenant where the app is registered isn't the primary tenant associated with the PGA, complete the steps to set up the MPN PGA as a multitenant account and associate the Azure AD tenant.

  • The app must be registered in an Azure AD tenant and have a publisher domain set.

  • The domain of the email address that's used during MPN account verification must either match the publisher domain that's set for the app or be a DNS-verified custom domain that's added to the Azure AD tenant.

  • The user who initiates verification must be authorized to make changes both to the app registration in Azure AD and to the MPN account in Partner Center. The user who initiates the verification must have one of the required roles in both Azure AD and Partner Center.

    • In Azure AD, this user must be a member of one of the following roles: Application Admin, Cloud Application Admin, or Global Admin.

    • In Partner Center, this user must have one of the following roles: MPN Partner Admin, Account Admin, or Global Admin (a shared role that's mastered in Azure AD).

  • The user who initiates verification must sign in by using multifactor authentication.

  • The publisher must consent to the Microsoft identity platform for developers Terms of Use.

Developers who have already met these requirements can be verified in minutes. No charges are associated with completing the prerequisites for publisher verification.

Publisher verification in national clouds

Publisher verification currently isn't supported in national clouds. Apps that are registered in national cloud tenants can't be publisher verified at this time.

Frequently asked questions

Review frequently asked questions about the publisher verification program. For common questions about requirements and the process, see Mark an app as publisher verified.

  • What does publisher verification not tell me about the app or its publisher? The blue verified badge doesn't imply or indicate quality criteria you might look for in an app. For example, you might want to know whether the app or its publisher have specific certifications, comply with industry standards, or adhere to best practices. Publisher verification doesn't give you this information. Other Microsoft programs, like Microsoft 365 App Certification, do provide this information.

  • How much does publisher verification cost for the app developer? Does it require a license? Microsoft doesn't charge developers for publisher verification. No license is required to become a verified publisher.

  • How does publisher verification relate to Microsoft 365 Publisher Attestation and Microsoft 365 App Certification? Microsoft 365 Publisher Attestation and Microsoft 365 App Certification are complementary programs that help developers publish trustworthy apps that customers can confidently adopt. Publisher verification is the first step in this process. All developers who create apps that meet the criteria for completing Microsoft 365 Publisher Attestation or Microsoft 365 App Certification should complete publisher verification. The combined programs can give developers who integrate their apps with Microsoft 365 even more benefits.

  • Is publisher verification the same as the Azure Active Directory application gallery? No. Publisher verification complements the Azure Active Directory application gallery, but it's a separate program. Developers who fit the publisher verification criteria should complete publisher verification independently of participating in the Azure Active Directory application gallery or other programs.

Next steps