Know about app compliance program for security, data handling, and privacy
Microsoft 365 app compliance program checks and audits an app against controls that are derived from leading industry-standard frameworks. The program demonstrates that strong security and compliance practices are in place to protect customer data. The program has the following phases:
Publisher verification
Before an app developer can submit their app to Microsoft, the developer is required to undergo a verification. A developer verifies their identity using their Microsoft Partner Network (MPN) account and associates this MPN account with their app registration. Publisher verification helps admins and users understand the authenticity of application developers. Publisher verification provides the following benefits:
- Increased transparency and risk reduction for customers - this capability helps customers understand which apps being used in their organizations are published by developers they trust.
- Improved branding - a
verified
badge appears on the Microsoft Entra consent prompt, Enterprise Apps page, and other user interfaces used by users and admins. - Smoother enterprise adoption - admins can configure user consent policies, with publisher verification status as a primary policy criteria.
Publisher attestation
Publisher attestation is the next tier in the app compliance program. Publisher attested apps provide confidence to admins about security and compliance measures of an app. It also helps reduce the time to review this information for an app. The attestation will reflect an app's security, data handling, and compliance practices against more than 80 risk factors identified by Microsoft Defender for Cloud Apps. Publisher attestation process can start before Publisher verification is complete.
App developers are asked to complete a self-assessment that includes questions frequently asked by customers and IT admins to evaluate the security and compliance of an app. Microsoft then publishes this information for easier and more timely evaluation. To know more, see Attestation guide.
Admins can quickly check for Published attested apps in three different ways.
When gathering more information about an app, see the details of a specific app at its link at Microsoft Teams apps security and compliance. Alternately, select the
Publisher attestation
link in Teams admin center.In Teams admin center, when checking the details of an app from the Manage App page, see the publisher attested icon on the banner in the app's detail page.
In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.
The attestation details page for an attested or certified app lists the following details.
Microsoft 365 certification
App certification is achieved through:
- A qualified analyst's review.
- Approval of a comprehensive assessment centering on an app's security and compliance frameworks, processes, and procedures.
We check the app against a series of security controls derived from leading industry-standard frameworks.
The certificate demonstrates the strong security and compliance practices that are in place to protect customer data when the app is used in an organization. More information about how admins and users benefit from the certification is available at Overview of Microsoft 365 app compliance program.
Administrators can quickly check for Microsoft 365 certified apps in the following ways.
When gathering more information about an app on the web, see the shield icon in Microsoft documentation about the app.
When checking an application in Teams admin center, sort the list of apps using the Certification column. See the icon and optionally, select the link to access the app-specific page mentioned above.
When viewing the details of an app, see the Microsoft 365 certified icon in the app banner.
In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.
View security, compliance, and privacy information
You can find information about security, privacy, compliance and behaviors for an attested or certified app in Microsoft documentation and Teams admin center.
Microsoft documentation
You can find the details about security, privacy, compliance, and more for each app listed it the app-specific help articles linked from Microsoft Teams apps security and compliance.
Teams admin center
When evaluating an app, you can use independent Cloud Access Security Brokers (CASB), such as Microsoft Defender for Cloud Apps, to find information about security and behaviors of an app. The Teams admin center includes security and compliance information from Defender for Cloud Apps for Microsoft 365 Certified apps. Check this information in the app details page, to verify if the app meets your security needs.
Note
This feature is available to all admins, whether or not your organization has a license that supports Defender for Cloud Apps.
To access Defender for Cloud Apps information for an app:
Sign in to the Teams admin center and access Teams apps > Manage apps.
Select Certification to sort apps and push all Microsoft 365 Certified apps to the top of the table.
Choose a Microsoft 365 Certified app.
Select the Security and compliance tab.
To get more details on the supported capabilities for the app, select the dropdown list for each category.
View privacy policy and terms of use of an app
In Teams admin center, each app page links to the privacy statement and terms of use of the app.