Commercial marketplace certification policies

Document version: 1.33

Document date: May 20, 2022

Note

For a summary of recent changes to these policies, see Change history.

Table of contents

100 General

200 Virtual Machines

220 Network Virtual Appliances (NVAs)

300 Azure Applications

400 Azure container offers

600 IoT Edge Modules

700 Managed Services

800 Consulting Services

1000 Software as a Service (SaaS)

1100 Microsoft 365

1120 Office add-ins: Word, Excel, PowerPoint, and Outlook

1140 Teams

1160 SharePoint add-in

1170 SharePoint Framework Solutions

1180 Power BI visuals

1200 Power BI visuals additional certification

1240 Power BI Template Apps

1400 Dynamics 365 Business Central

1420 Dynamics 365 apps on Dataverse and Power Apps

1440 Dynamics 365 Operations Apps

3000 Requirements for Co-sell Status Tiers

4000 Microsoft 365 Application Compliance

100 General

These General policies apply to all offer types. Additional policies for each specific offer type are listed below by offer type. Please be sure you review both policy sections for the type of offer you are developing for the marketplace.

The types of offer types supported by the marketplace can be found in the publishing guide by offer type and the Microsoft 365 AppSource documentation. All offers and your publisher activities on Partner Center are subject to the Microsoft Publisher Agreement.

100.1 Value proposition and offer requirements

To let customers quickly identify offers of interest, your listing must clearly, concisely, and accurately convey the type of offer, the value proposition for your offer, and requirements for its adoption. The listing elements related to this requirement apply to offers and any plans that are part of the offer.

100.1.1 Title

All offers and plans must have an accurate and descriptive title. If your offer is promoted on a website outside of the commercial marketplace, the title on the promotional website should match the title in the marketplace.

100.1.2 Summary

Offers must have a concise, well written summary of the offer and its intended use. This summary will be shown on the commercial marketplace search results screen and is limited to 100 characters.

100.1.3 Description

All offers and plans must have a description that identifies the intended audience, briefly and clearly explains its unique and distinct value, identifies supported Microsoft products and other supported software, and includes any prerequisites or requirements for its use. The description should not simply repeat the offer summary.

You must clearly describe any limitations, conditions or exceptions to the functionality, features, and deliverables described in the listing and related materials before the customer acquires your offer. The capabilities you declare must relate to the core functions and description of your offer.

Your listing, including the description, metadata, and any other provided content, should describe your offer’s capabilities, strengths, and what makes it desirable, including any compatibility with other offers. Comparative marketing, including using competitor logos or trademarks in your offer listing, or including tags or other metadata referencing competing offers or marketplaces, is not allowed.

100.1.4 Non-English content

Commercial marketplace content (including Storefront text, documents, screenshots, Terms of Use, and Privacy Policy) is not required to be in English. If your offer is published with non-English content, the description must begin or end with the English phrase, "This application is available in <a list of languages including the language of your offer content>." It is also acceptable to provide a Useful Link URL to offer content in a language other than the one used in the marketplace content.

If your offer supports multiple languages, all offer and marketplace listing content should be localized for each supported language. Offers listed in multiple languages must be easily identified and understood.

100.1.7 Active and visible presence

You must maintain an active presence in the marketplace. Offers submitted to the marketplace must be commercially available and under active development and/or supported until they are removed from the marketplace.

Each offer submitted to the marketplace must have at least one public plan, which may be Contact Me, Bring Your Own License (BYOL), or Get It Now (Transact). Private plans are not allowed without a corresponding public plan.

100.2 Discoverability

To help customers discover offers, categories, industries, keywords, and consulting service competencies must accurately identify your expertise. The description of your listing must be relevant to the selected categories and industries.

  • Categories: Select the most relevant category or categories in alignment with your offer’s value proposition. The description should help a customer understand how your offer is applicable to the selected categories. A maximum of two categories can be selected.
  • Industries: Select an industry only if your offer is designed to solve a specific need or industry scenario. The industry and/or vertical your offer targets must be included in either the short or long description. Customers should be able to understand from the description how your offer helps them solve a specific industry scenario.
  • Keywords: Keywords must be relevant to the offer and any supported products. Adding competitor names or products as keywords is not permitted. Categories and titles should not be added as keywords.
  • Competencies (consulting services offers only): You must provide accurate current information needed to validate your competencies and qualifications when you submit your offer.

100.3 Graphic elements

Graphic elements help customers identify the source and understand the features of your offer. When used, graphic elements must be current, accurate, easy to understand, and related to your offer. Graphic elements include:

  • Logo
    • Logos are uploaded as a .png file between 216- and 350-pixels square. This logo appears on the offer listing page in Azure Marketplace or AppSource.
    • An optional 48-pixel square logo may be added later to replace the autogenerated small logo. This logo appears in Azure Marketplace search results or on the AppSource main page and search results.
  • Images, including screenshots
    • Images must be 1280x720 pixel .png files.
    • Images should be of good quality: high resolution, sharp, with legible and readable text.
    • Comparative marketing, including using competitor logos or trademarks, is not allowed.
  • Videos
    • Videos must be hosted on YouTube or Vimeo; no other video hosts are allowed.
    • Videos must be publicly viewable and embeddable.
    • Videos and their thumbnail images should be of good quality: high resolution, understandable, and related to the offer.
    • Video links must lead directly to the individual video page. No short URLs, "human readable" redirects, or other obfuscating services may be used. Account pages, playlists, or other collection pages are not allowed.

100.4 Acquisition, pricing, and terms

Customers need to understand how to evaluate and acquire your offer. Your listing must accurately describe:

  • How you are providing your offer (for example, as a limited time trial or as a purchase)
  • Pricing, including currency
  • Variable pricing structures
  • Features or content that require an extra charge, whether through in-app or add-in purchases or through other means. Your description must also disclose any dependencies on additional services, accounts, or hardware. Offers cannot have any dependencies on any product or component that is no longer supported or commercially available.

Pricing models must conform to the pricing models supported by the marketplace.

All purchase transactions associated with your offer must begin by using a starting point in the commercial marketplace listing, such as the Contact Me or Get It Now buttons.

Microsoft provides limited native application programming interfaces (APIs) to support in-offer purchases. If your in-offer purchases are not possible with Microsoft's APIs, you may use any third-party payment system for those purchases.

Within the offer listing, you may not redirect or up-sell customers to software or services outside the marketplace. This restriction does not apply to support services that publishers sell outside the marketplace.

You may not promote the availability of your offer on other cloud marketplaces within the offer listing.

The commercial marketplace does not currently support the sale of hardware or professional services. Any offers for hardware must be transacted outside of the marketplace. Charges for services such as support included with your offer and billed through the marketplace may only amount to an ancillary component (less than 10%) of the total price charged to end customers.

100.5 Offer information and support contacts

Customers want to know how to find out more about your offer and how they'll get support for evaluating and using it. Links should include relevant information on the offer's:

  • Terms and conditions
    • Should describe the legal terms between you and your customers governing use of your offer
  • Privacy policy
    • Should detail any of your applicable collection, use, and storage of customer data
  • Support contacts and help options
    • At least one of the following support contact methods must be provided: telephone, email, chat agent, community forum, or a link to a support landing page
    • Links must lead directly to appropriate support information
    • If access to support requires authentication, login credentials (used only for link authentication) must be provided in the notes for certification when you submit your offer
  • Documentation
    • Should be available, detailed, instructive, and current
    • Documents must be .pdf format, and should not be blank or consist entirely of embedded images
  • "Learn More" links to additional offer information
  • Transaction information

A CRM system must be connected with the Lead Destination configured in the Customer Leads section of the Offer Setup.

Links must be functional, accurate, and must not jeopardize or compromise user security. For example, a link must not spontaneously download a file. All links provided throughout the offer metadata, including the above listed options and in any other metadata fields, must be served using the secure HTTPS protocol.

100.6 Personal information

Customers and partners care about the security of their personal information. Personal Information includes all information or data that identifies or could be used to identify a person, or that is associated with such information or data. Your listing must not include third-party personal information without authorization. Your listing must include a link to your privacy policy for the listed offer.

100.7 Accurate source

Customers want to know who they are dealing with and expect clarity about the offers and relationships they rely on. All content in your offer and associated metadata must be either originally created by the offer provider, appropriately licensed from the third-party rights holder, used as permitted by the rights holder, or used as otherwise permitted by law. Offers must be unique and cannot duplicate an offer made available by another publisher on the marketplace.

When referring to Microsoft trademarks and the names of Microsoft software, products, and services, follow Microsoft Trademark and Brand Guidelines.

100.8 Significant value

Offers must provide enough value to justify the investment it takes to learn and use them. Your offer should provide significant benefits such as enhanced efficiency, innovative features, or strategic advantages. Simple utilities, offers with limited scope, or offers that duplicate offerings in well-served areas are not a good fit for the commercial marketplace. Offers must provide a useable software solution.

100.10 Inappropriate content

Customers expect offers to be free of inappropriate, harmful, or offensive content. Your offer must not contain or provide access to such content including, but not limited to content that:

  • Facilitates or glamorizes harmful activities in the real world.
  • Might pose a risk of harm to the safety, health, or comfort of any person or to property.
  • Is defamatory, libelous, slanderous, or threatening.
  • Is potentially sensitive or offensive or that advocates discrimination, hatred, or violence based on membership in a particular racial, ethnic, national, linguistic, religious, or other social group, or based on a person's gender, age, or sexual orientation.
  • Facilitates or glamorizes excessive or irresponsible use of alcohol or tobacco products, drugs, or weapons.
  • Contains sexually explicit or pornographic content.
  • Encourages, facilitates, or glamorizes illegal activity in the real world, including piracy of copyrighted content.
  • Includes excessive or gratuitous profanity or obscenity.
  • Is offensive in any country/region to which your offer is targeted. Content may be considered offensive in certain countries/regions because of local laws or cultural norms.

100.11 Security

Customers want to be confident that offers are safe and secure. Your offer must not jeopardize or compromise user security, the security of the Azure service, or related services or systems.

If your offer collects credit card information, or uses a third-party payment processor that collects credit card information, the payment processing must meet the current PCI Data Security Standard (PCI DSS).

Your offer must not install or launch executable code on the user's environment (beyond what is identified in or may reasonably be expected from the offer listing) and must be free from malware and security vulnerabilities.

Report suspected security events, including security incidents and vulnerabilities of your marketplace software and service offerings, at the earliest opportunity.

100.12 Functionality

Customers expect offers to deliver what they promise. Your offer must provide the functionality, features, and deliverables described in your listing and related materials.

If your offer has trial and paid versions, trial functionality must reasonably resemble the paid version.

Offer user interfaces should not look unfinished. All UI should be intuitive and obvious in purpose, without requiring users to read support documentation for basic tasks.

Your offer should be reasonably responsive. Long wait or processing times should be accompanied by some form of warning or loading indicator.

100.13 Business requirements

Offers you submit to the marketplace must meet applicable business requirements including:

  • Specific qualification or approval by Microsoft as needed
  • Appropriately targeting customer segments, categories, or industries
  • Appropriate configuration including offer type and billing

100.14 Testability

Your offer submission must include any necessary instructions and resources for successful certification of your offer.

200 Virtual Machines

To ensure that customers have a clear and accurate understanding of your offer, please follow these additional listing requirements for Virtual Machines (VM) offers.

200.1 Technical Requirements

Offers you publish to the Marketplace must meet the following technical requirements:

  • The Azure Resource Manager (RM) module may still be used but is being deprecated. We recommend using the Azure PowerShell Az module instead.

In addition to your solution domain, your engineering team should have knowledge on the following Microsoft technologies:

  • Basic understanding of Azure Services
  • Working knowledge of Azure Virtual Machines, Azure Storage and Azure Networking
  • Working knowledge of Azure Resource Manager
  • Working knowledge of JSON

200.2 Business Requirements

The publisher must be registered through Partner Center and approved for the VM billing plan.

The App Description must match the application included in the Virtual Machine and must have been tested for primary functionality after deployment of the VM image in Microsoft Azure.

Usage/distribution of third-party software and consumption of services must be in compliance with all respective redistribution licensing.

200.3 VM Image Requirements

As a VM image contains one operating system disk and zero or more data disks, one Virtual Hard Drive (VHD) is needed per disk. Even blank data disks require a VHD to be created. You must configure the VM operating system (OS), the VM size, ports to open, and up to 15 attached data disks. Regardless of which OS you use, add only the minimum number of data disks needed by the stock keeping unit (SKU).

200.3.1 General

VM image must be provided in the form of a VHD file and built on an Azure-approved base image.

VM image must be deployable and able to provision on Azure from either the Azure Portal or PowerShell scripts.

Must support deployment of the image with at least the publisher recommended Azure VM Size.

While additional configuration steps may be required by the application, deployment of the VM image allows the VM to be fully provisioned and the OS to start properly.

Image should support enablement of VM Extensions including Azure Diagnostics and Monitoring.

Disk count in a new image version cannot be changed. A new SKU must be defined to reconfigure data disks in the image. Publishing a new image version with different disk counts will have the potential of breaking subsequent deployments based on the new image version in cases of auto-scaling, automatic deployments of solutions through Azure Resource Manager templates, and other scenarios.

Image must be well-formed including standard footer.

VHD image must be submitted via a valid and available Shared Access Signature (SAS) URI.

Choose one or both of the Azure PowerShell or Azure command-line interface (CLI) scripting environments to help manage VHDs and VMs.

Image size must be an exact multiple of 1MB.

OS Architecture must be 64 bits.

Image must have been deprovisioned. See Configure the Azure-Hosted VM: Generalize the Image.

200.3.2 Windows

OS disk size validation should be between 30GB and 250GB.

Data disk size should be between 1GB and 1023GB.

Support Compatibility with Serial Console: Windows: Registry.

Application must not have a dependency on the D: drive for persistent data. Azure offers the D: drive as temporary storage only and data could be lost.

Application usage of the data drive must not have a dependency on C: or D: drive letter designations. Azure reserves C: and D: drive letter designations.

Build lean and limit possible cloud compatibility issues by avoiding dependency and not including specialized Windows Server roles and features such as Failover Cluster, DHCP, Hyper-V, Remote Access, Rights Management Services, Windows Deployment Services, BitLocker Drive Encryption on OS disk, and Network Load Balancing Windows Internet Name Service.

200.3.3 Linux

No swap partition on the OS disk. Swap can be requested for creation on the local resource disk by the Linux Agent. It is recommended that a single root partition is created for the OS disk.

Leverage Endorsed Linux distributions on Azure: /azure/virtual-machines/linux/endorsed-distros. Custom images may be subject to additional validation steps and requiring specific approval from Microsoft.

OS disk size validation should be between 30GB and 1023GB.

Data disk size validation should be between 1GB and 1023GB.

Support Compatibility with Serial Console – parameter Linux: console=ttyS0.

The latest Azure Linux Agent should be installed using the repair manager (RPM) or Debian package. You may also use the manual install process, but the installer packages are recommended and preferred.

No swap partition on the OS disk. Swap can be requested for creation on the local resource disk by the Linux Agent. It is recommended that a single root partition is created for the OS disk.

Choose one or both of the Azure PowerShell or Azure command-line interface (CLI) scripting environments to help manage VHDs and VMs.

Secure Shell (SSH) server should be included by default.

200.4 VM Image Generalization

All images in the Azure Marketplace must be reusable in a generic fashion. To achieve this reusability, the operating system VHD must be generalized, an operation that removes all instance-specific identifiers and software drivers from a VM. The operating system VHD for your VM image must be based on an Azure-approved base image that contains Windows Server or SQL Server.

If you are installing an OS manually, then you must size your primary VHD in your VM image. For Windows, the operating system VHD should be created as a 127-128 GB fixed-format VHD. For Linux, this VHD should be created as a 30-50 GB fixed-format VHD.

Windows OS disks are generalized with the sysprep tool. If you subsequently update or reconfigure the OS, you must rerun sysprep.

Ensure that Azure Support can provide our partners with serial console output when needed and provide adequate timeout for OS disk mounting from cloud storage. Images must have the following parameters added to the Kernel Boot Line: console=ttyS0 earlyprintk=ttyS0 rootdelay=300.

200.5 Security

Ensure that you have updated the OS and all installed services with all the latest security and maintenance patches. Your offer should maintain a high level of security for your solution images in the Marketplace.

All the latest security patches for the Linux distribution must be installed and industry guidelines to secure the VM image for the specific Linux distribution must be followed. It is recommended that Logical Volume Manager (LVM) should not be used.

Images should not include significant Common Vulnerability and Exposures. Verify the following:

  • Windows must have the latest security patches.
  • Linux minimum kernel versions including latest security patches.
  • Latest versions of required libraries should be included:
    • OpenSSL v1.0 or greater.
    • Python 2.6+ is highly recommended.
    • Python pyasn1 package if not already installed.
    • Linux Azure Agent 2.2.10 and above should be installed.
  • Firewall rules must be disabled unless application functionally relies on them, such as for a firewall appliance.
  • The source code and resulting VM image must be scanned for malware and verified to be malware free.
  • All code that is considered suspicious (such as penetration tests and exploits) shall be identified and disclosed to limit false positive detections by malware monitoring tools.
  • All non-OS scheduled tasks shall be well identified to limit exposure to CRON job type malware.
  • Limit the attack surface by keeping a minimal footprint with only necessary Windows Server roles, features, services, and networking ports.
  • Applications should not have a dependency on restricted usernames such as 'Administrator,' 'root', and 'admin'.
  • Bash/Shell history entries must be cleared.

Your offer should use a secure OS base image.

  • The VHD used for the source of any image based on Windows Server must be from the Windows Server OS images provided through Microsoft Azure.
  • Do not use the solution VHD (such as the C: drive) to store persistent information.
  • The VHD image must only include necessary locked accounts that do not have default passwords that would allow interactive login; no back doors are allowed.
  • All sensitive information, such as test SSH keys, known hosts file, log files, and unnecessary certificates, must be removed from the VHD image.

200.6 Testing and Certification

After you create and deploy your Virtual Machine (VM), you must test and submit the VM image for Azure Marketplace certification with the Certification Test Tool. Instructions for using the tool are available at the Certify your VM image page. If any of the tests fail, your image is not certified. In this case, review the requirements and failure messages, make the indicated changes, and rerun the test.

During the publishing process, you must provide a uniform resource identifier (URI) for each virtual hard disk (VHD) associated with your SKUs. Microsoft needs access to these VHDs during the certification process. When generating shared access signature (SAS) URIs for your VHDs, adhere to the following requirements:

  • Only unmanaged VHDs are supported.
  • List and Read permissions are sufficient; do not provide Write or Delete access.
  • The duration for access (expiry date) should be a minimum of three weeks from when the SAS URI is created.
  • To safeguard against Coordinated Universal Time (UTC) variations, set the start date to one day before the current date; for example, if the current date is October 6, 2019, select 10/5/2019.

Review and verify each generated SAS URI by using the following checklist. Verify that:

  • The URI is of the form: <blob-service-endpoint-url> + /vhds/ + <vhd-name>? + <sas-connection-string>
  • The URI contains your VHD image filename, including the filename extension ".vhd"
  • Towards the middle of the URI, sp=rl appears; this string indicates that Read and List access is specified
  • After that point, sr=c also appears; this string indicates that container-level access is specified

You can use the VM Self-test Service API to pre-validate that a Virtual Machine (VM) meets the latest Azure Marketplace publishing requirements.

Preview images are stored during the testing and preview phase of the offer publication process and are not visible to customers. Microsoft may remove inactive images from storage.

220 Network Virtual Appliances (NVAs)

An NVA offer submitted to Azure Marketplace goes through the certification process. To ensure the offer is certified and published on Azure Marketplace, it must meet all the following requirements.

220.1 NVA Internal Service Error

NVA Offers are qualified by a certification service that can sometimes result in an internal error. In this case, publisher will see an error message with Policy ID as 220.1 and no action is needed by the publisher.

220.2 NVA VHD Access

The certification process begins by accessing the Virtual Hard Disk (VHD) image of your offer. Ensure the VHD can be accessed without any issue.

  • The correct SAS URL is provided for the VHD
  • The VHD is accessible
  • The NVA image is generalized

220.3 NVA Deployment

Ensure the NVA offer can be deployed successfully within 20 minutes.

220.4 NVA Reboot

To maintain reliability of an NVA on the Azure platform, we conduct reboot tests. Ensure your appliance can successfully reboot and is reachable on port 22 within 20 minutes for the following scenarios:

  • NVA with 1 Network Interface Card (NIC)
  • NVA with 3 NICs
  • NVA with 7 NICs

220.5 NVA Redeployment

After the initial deployment of an NVA, ensure the NVA can be deallocated and redeployed. A successful redeployment must be completed within 20 minutes. We test three scenarios:

  • NVA with 1 NIC
  • NVA with 3 NICs
  • NVA with 7 NICs

220.6 NVA High Availability

One of the most common architectures is to deploy NVAs in a High Availability configuration using a Load Balancer. To pass this test, ensure the following requirements are met:

  • The NVA is reachable through the Internal load balancer's frontend IP
  • For High Availability configurations, the appliance must be compatible with the HA Ports feature on the Internal Load Balancer

220.7 Network Virtual Appliances (NVA)

220.8 NVA Accelerated Networking

Please ensure the following requirements are met for Accelerated Networking testing:

  • Accelerated Networking can be enabled and disabled on a NIC in the NVA VM
  • Traffic is allowed through the NVA NICs on which Accelerated Networking is enabled and disabled

220.9 NVA Multi-NIC basic

Ensure that when NVA is deployed with multiple NICs, the private IP address and MAC address of the NVA Network Interface Cards (NICs) are unchanged after redeployment.

220.10 NVA Network Disruption

On a VM deployed using the NVA image, verify that after configuring a Network Security Group (NSG) to block all incoming traffic, the VM status remains Running.

300 Azure Applications

The policies listed in this section apply only to Azure Applications offers.

300.1 Value proposition and offer requirements

The Azure Application offer type must be used when the following conditions are required:

  • You deploy a subscription-based solution for your customer using either a VM or an entire IaaS-based solution.
  • If you or your customer requires that the solution be managed by a partner, then the Azure Application SKU type should be used.

Container offers are not supported for Azure applications in the commercial marketplace.

Custom meters may only be used for the consumption or usage of software (for example, counting messages sent through an email platform or consuming credits that indicate software usage).

300.2 Acquisition, pricing, and terms

The resources will be provisioned in the customer's Azure subscription. Pay-as-you-go (PAYGO) virtual machines will be transacted with the customer via Microsoft, billed via the customer's Azure subscription (PAYGO).

In the case of bring-your-own-license, Microsoft will bill infrastructure costs incurred in the customer subscription, and you will transact your software licensing fees to the customer directly.

300.3 Functionality

VMs must be built on Windows or Linux.

Azure applications must be deployable through the commercial marketplace.

300.4 Technical requirements

For more details on the following requirements, see the Azure Resource Manager Templates best practices guide.

300.4.1 Code

Code must pass the best practice tests.

Code must address any comments provided as part of the code review in the certification process.

300.4.2 Security

All firewall rules and network security groups (NSGs) must be reasonable for the application.

Role-based access control (RBAC) assignments should use the least privilege required and must have a justification for "owner".

Passwords in createUIDef must have a minimum of 12 characters or use the default settings.

Managed Service Identity (MSIs) must be assigned a role. Unused MSIs must be removed.

300.4.3 Variables

Any declared variables must be used.

300.4.4 Parameters

Any declared parameters must be used.

Values such as username and password (secrets) must always be parameterized.

Any defaultValue supplied for a parameter must be valid for all users in the default deployment configuration.

  • Do not provide default values for user names, passwords (or anything that requires a SecureString, or anything that will increase the attack surface area of the application.

Templates must have a parameter named location for the primary location of resources.

  • The default value of this parameter must be [resourceGroup().location].
  • The location parameter must not contain allowedValues. Location values may be restricted in CUID but not the template.

Do not use allowedValues for lists of things that are meant to be inclusive (for example, all VM SKUs). allowedValues should only be used for exclusive scenarios. Overusing allowedValues will block deployment in some scenarios. Resources without built-in controls in createUIDef may only be populated with values that can be validated in createUIDef.

300.4.5 Resources

Top-level template properties must be in the following order:

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/...",
  "contentVersion": "1.0.0.0",
  "apiProfile": "...",
  "parameters": {},
  "functions": {},
  "variables": {},
  "resources": [],
  "outputs": {},
}

All empty or null properties that are not required must be excluded from the templates.

Resource IDs must be constructed using one of the resourceId() functions.

Any reference to a property of a resource must be done using the reference() function.

Hard-coded or partially hard-coded URIs or endpoints are not allowed.

The apiVersion specified for a resource type must be no more than 24 months old. A preview apiVersion must not be used if a later version (preview or non-preview) is available.

The apiVersion property must be a literal value.

Each VM extension resource must have the autoUpgradeMinorVersion property set to true.

Any secureStrings used by extensions must use protectedSettings.

300.4.6 CUID (createUIDef)

Regex validation of textbox controls must match the intent of the control and properly validate the input.

All properties must be output for each control in createUIDef.

300.4.7 Deployment artifacts

All of the artifacts needed for deployment must be included in the zip file submitted for publishing.

mainTemplate.json and createUIDefinition.json must be in the root of the folder.

Applications that create resources for which there is no createUIDefinition element must not prompt for input of any names or properties of these resources that cannot be validated.

Scripts, templates, or other artifacts required during deployment must be staged to enable a consistent deployment experience throughout the development and test life-cycle, including command line deployment with the scripts provided at the root of the repository. To do this, two standard parameters must be defined:

  • _artifactsLocation – The base URI where all artifacts for the deployment will be staged. The defaultValue must be [deployment().properties.templateLink.uri].
  • _artifactsLocationSasToken – The sasToken required to access _artifactsLocation. The default value should be an empty string ("") for scenarios where the _artifactsLocation is not secured.

300.4.8 VM image references and disks

All imageReference objects for virtual machines or virtual machine scale sets must use core platform images, or images that are available in the commercial marketplace. Custom images cannot be used.

An imageReference using an image from the commercial marketplace cannot be a preview or staged version of the image in production deployments.

An imageReference using an image from the commercial marketplace must include information about the image in the plan object of the virtual machine.

If a template contains an imageReference using a platform image, the version property must be the latest version.

VM sizes must be selected using the VM SizeSelector control in createUIDef, and passed to the template as a parameter.

VM sizes in allowed values must match the storage type selection (premium, standard, or standard SSD).

OS Disks and Data Disks must use implicit managed disks.

400 Azure container offers

When publishing an Azure container offer in Partner Center, ensure you follow the policies listed below. This ensures customers can easily find and deploy your offer securely and easily in the commercial marketplace.

400.1 Technical requirements

Adhere to the following technical requirements to ensure successful submission of your Azure container offer:

For ‘Transactable Container’ offers,

  • The published container product must be deployable on Azure Kubernetes service. 
  • Ensure the offer is provided as a helm chart with all image repos and digest details included.
  • The container image must be multi-arch enabled with node selectors added.

For ‘Container Image’ offers,

  • Ensure your container product are deployable on AKS clusters and Azure Container Instance.

400.2 Business requirements

Publishing an Azure container offer requires the following:

  • Usage/distribution of third-party software and consumption of services must follow all respective redistribution licensing.
  • Add labels to pods relevant for per-core billing.

400.3 Security

All Container products must adhere to the below security requirements:

  • Ensure the Container images do not contain any malware.
  • Address all known vulnerabilities in your container products before submitting the image for publishing.

600 IoT Edge Modules

To ensure that customers have a clear and accurate understanding of your offer, please follow these additional listing requirements for IoT Edge Modules offers.

600.1 Offer Information

Offers must link to supported IoT Edge devices in the IoT device catalog. General-purpose modules must link to the device catalog with the text "List of compatible IoT Edge certified devices" linked to https://aka.ms/iot-edge-certified.

600.2 Plan Information

SKU metadata must meet the following requirements:

  • Manifest and image tags must be properly formatted and consistent. The "latest" tag must be listed.

  • Defaults must be accurate:

    • Routes must be specific and use the proper syntax.
    • Twin desired properties value syntax must be proper non-escaped JSON, without arrays or values exceeding 512 characters, and with a maximum four (4) levels of nested hierarchy.
    • Environment variable value must be less than 512 characters.
    • createOptions value must be proper non-escaped JSON, without values exceeding 512 characters, and not granting privileged rights unless absolutely necessary.

600.3 Technical Requirements

Containers must meet the following requirements:

  • The "latest" tag must be a manifest tag available in the container registry.
  • All image tags referred to by manifest tags must be present in the registry.
  • All version tags must be immutable.

The module must start, run, and remain stable with the default options.

The "latest" tag must run with the default configuration options on all claimed supported OS/architectures. For general-purpose modules, this means supporting x64, arm32, and arm64 under both Linux and Windows (x64 platform only).

Modules that include the IoT SDK and are set to the PartnerId.OfferIdPlanId must send telemetry.

700 Managed Services

The policies listed in this section apply only to Managed Services offers.

700.1 Value proposition and offer requirements

The term "managed service" or "managed services" must be included somewhere in the offer description.

Managed services offers must have the primary purpose of providing services that manage customers' use of Azure. Offerings, with the primary purpose of selling licenses or subscriptions to software or a platform, must instead be listed as an application.

700.3 Graphic elements

No text other than official logo marks may be used in logo images.

Logo backgrounds should not be black, white, or gradients. If a transparent background is used for the required logos, logo elements should not be black, white, or blue. Hero logos may not use transparent backgrounds.

700.4 Business requirements

You must have Silver or Gold competency levels in Cloud Platform or Security to publish a Managed Service offer.

You should review the managed services publication guidelines before submission.

700.5 Plan details

Plan titles, summaries, and descriptions must be descriptive of the plan.

The billing model for plans must be "Bring your own license".

700.6 Plan manifest details

Manifest version numbers must be in the n.n.n format (for example, 1.2.5).

800 Consulting Services

The policies listed in this section apply only to Consulting Services offers.

800.1 Value proposition

Consulting Services must be fixed in scope and have a defined outcome. Offers with the primary purpose of selling licenses or subscriptions to software or a platform must instead be listed as an application.

800.2 Eligibility requirements

Primary Product: Azure Eligibility Requirement(s)
Azure Silver or Gold competency in at least one of the following areas:
Application Development, Application Integration, Application Lifecycle Management, Cloud Platform, Data Analytics, Data Center, Data Platform, DevOps or Security.



Primary Product: Dynamics 365 Eligibility Requirement(s)
Dynamics 365 Business Central Silver or Gold competency in Enterprise Resource Planning and serving at least three customers
OR
Must have published a Business Central application in Microsoft AppSource.
Dynamics 365 Customer Engagement Applications (Sales, Marketing, Customer Service, Field Service, HR) Silver or Gold competency in Cloud Business Applications – Customer Engagement Option
Dynamics 365 Customer Insights Must have at least one in-production implementation of Dynamics 365 Customer Insights with 50,000 or more unified profiles and refreshed at least once a month.
Dynamics 365 Customer Voice Must have completed the Customer Voice training.
Dynamics 365 Finance and Operations Applications (Finance, Supply Chain Management, Commerce, Project Service Automation) Silver or Gold competency in Cloud Business Applications – Unified Operations Option
Power BI Must be a Solution Partner in the Business Intelligence Partner Program with a Silver or Gold competency in Data Analytics and five [Microsoft Certified: Power BI Data Analyst Associates]s in the organization. Details in section 800.2.6 below.
Power Apps Must have at least one Power Apps customer deployment project validated using the Partner Admin Link (PAL). Details in section 800.2.7 below.
Power Automate Must have at least one Power Automate customer deployment project validated using the Partner Admin Link (PAL). Details in section 800.2.9 below.
Power Virtual Agents Silver or Gold competency in Cloud Business Applications with five or more resources certified on the Power Platform exam (PL200, PL400). Details in section 800.2.10 below.



Primary Product: Microsoft 365 Solution Path Eligibility Requirement(s)
Adoption and Change Management Silver or Gold competency in Cloud Productivity.
Calling for Microsoft Teams Silver or Gold competency in Cloud Productivity or Communications.
Cloud Security Silver or Gold competency in Security.
Compliance Advisory Services Silver or Gold competency in Security or Enterprise Mobility Management.
Device Deployment and Management Silver or Gold competency in Enterprise Mobility Management or Windows and Devices.
Firstline Workers Silver or Gold competency in Cloud Productivity, Enterprise Mobility Management, or Security.
Identity & Access Management Silver or Gold competency in Security or Enterprise Mobility Management.
Information Protection & Governance Silver or Gold competency in Security or Enterprise Mobility Management.
Insider Risk Silver or Gold competency in Security or Enterprise Mobility Management.
Knowledge and Insights Silver or Gold competency in Collaboration and Content or Cloud Productivity.
Meetings for Microsoft Teams Silver or Gold competency in Cloud Productivity or Communications.
Meeting Rooms for Microsoft Teams Silver or Gold competency in Cloud Productivity or Communications.
Microsoft 365 Live Events Silver or Gold competency in Cloud Productivity or Communications.
Mobile Device Management Silver or Gold competency in Enterprise Mobility Management or Windows & Devices.
Power Platform for Teams Silver or Gold competency in Cloud Productivity or Cloud Business Applications.
Teams Custom Solutions Silver or Gold competency in Cloud Productivity, Cloud Business Applications, Application Development, or App Integration.
Teamwork Deployment Silver or Gold competency in Cloud Productivity or Small and Midmarket Cloud Solutions.
Threat Protection Silver or Gold competency in Security.
Workplace Analytics Silver or Gold competency in Cloud Productivity or Data Analytics.

For more information on meeting these prerequisites, see the Consulting Services prerequisites.

The following sections provide more detail on publishing requirements for "Power" offer types noted in the table above.

800.2.2 Primary Product: Dynamics 365 Apps on Dataverse and Power Apps

Insufficient Certification (D365 Dataverse) To publish a Dynamics 365 Apps on Dataverse and Power Apps consulting service offer in the marketplace, you must be Gold or Silver certified in the Cloud Business Applications Customer Engagement option.

Resubmit your offer after earning the required competency. If your competency is in progress, wait until it becomes active to resubmit your offer.

For more information on the required competency, see Cloud Business Applications Competency.

To learn more about checking the status of your competency, see Competencies report available from the Partner Center Insights dashboard.

800.2.3 Primary Product: Dynamics 365 Finance and Operations

Insufficient Certification (D365 FO) To publish a Dynamics 365 Finance and Operations consulting service offer in the Marketplace you must be Gold or Silver certified in Cloud Business Applications – Unified Operations option.

Resubmit your offer after earning the required competency. If your competency is in progress, please wait until it becomes active to resubmit your offer.

For more information on the required competency, see Cloud Business Applications Competency.

To learn more about checking the status of your competency, see Competencies report available from the Partner Center Insights dashboard.

800.2.4 Primary Product: Dynamics 365 Customer Insights

Insufficient Qualifications (D365 CI) To publish a Dynamics 365 Customer Insights consulting service offer in the Marketplace you must have at least one in-production implementation of Dynamics 365 Customer Insights with 50,000 or more unified profiles and refreshed at least once a month. Please resubmit your offer after completing all requirements.

800.2.5 Primary Product: Dynamics 365 Business Central

Insufficient Certification (D365 BC) To publish a Dynamics 365 Business Central consulting service offer in the Marketplace you must be Gold or Silver certified in the Enterprise Resource Planning competency and serve at least three customers OR must have published a Business Central application in Microsoft AppSource. Please resubmit your offer after earning the required competency. If your competency is in progress, please wait until it becomes active to resubmit your offer.

For more information on the required competency, see Cloud Business Applications Competency.

To learn more about checking the status of your competency, see Competencies report available from the Partner Center Insights dashboard.

800.2.6 Power BI

To publish a Power BI consulting service offer on AppSource, you must be a Solution Partner in the Business Intelligence Partner Program.

Requirements:

  1. Attain your competency.

  2. Get certified.

  3. Request status change.

    • Email pbiptnr@microsoft.com with attached proofs of program tier requirements.
    • Receive updated status.
    • On review approval, submit a Power BI consulting service offer.

Read more details about Announcing a new name for the Data Analyst Associate certification.

* Exam DA-100 / Microsoft Certified: Data Analyst Associate certification will be retired on March 31, 2022 and accepted until March 31, 2023.
** Exam PL-300 / Microsoft Certified: Power BI Data Analyst Associate certification is accepted as of February 28, 2022.

800.2.7 Power Apps

To publish a Power Apps consulting offer in the marketplace you must have at least one Power Apps customer deployment project validated using the Partner Admin Link (PAL).

To learn more about the Partner Admin Link (PAL) association, see Link a partner ID to your Power Platform and Dynamics Customer Insights accounts and leverage the partner facing assets at Partner learning path.

OR meet both the following Competency and Certification requirements:

Competency: Your company must have at least one of the following active Gold competencies:

  • Cloud Business Applications
  • Cloud Platform
  • Small and Mid-Market Cloud Solutions
  • Cloud Productivity
  • Application Integration
  • Application Development
  • Data Analytics

AND

Certification: Your company must have individuals pass the following certifications:

Certifications can be held by the same or different individuals.

* Exam MB-600: Microsoft Dynamics 365 + Power Platform Solution Architect will be accepted until June 30, 2022.

800.2.9 Power Automate

To publish a Power Automate consulting offer in the marketplace you must have at least one Power Automate customer deployment project validated using the Partner Admin Link (PAL).

To learn more about the Partner Admin Link (PAL) association, see Link a partner ID to your Power Platform and Dynamics Customer Insights accounts and leverage the partner facing assets at Partner learning path.

OR meet both the following Competency and Certification requirements:

Competency: Your company must have at least one of the following active Gold competencies:

  • Cloud Business Applications
  • Cloud Platform
  • Small and Mid-Market Cloud Solutions
  • Cloud Productivity
  • Application Integration
  • Application Development
  • Data Analytics

AND

Certification: Your company must have individuals pass the following certifications:

Certifications can be held by the same or different individuals.

* Exam MB-600: Microsoft Dynamics 365 + Power Platform Solution Architect will be accepted until June 30, 2022.

800.2.10 Power Virtual Agents

To publish a Power Virtual Agents consulting offer in the marketplace you must meet both of the following Competency and Certification requirements:

Competency: Your company must have at least one of the following active Gold competencies:

  • Cloud Business Applications
  • Cloud Platform
  • Small and Mid-Market Cloud Solutions
  • Cloud Productivity
  • Application Integration
  • Application Development
  • Data Analytics

AND

Certification: Five individuals must achieve MSFT Certified: Power Platform Functional Consultant Associate.

800.3 Title

Your Title must follow the format "Offer Name: Duration Service type." For example, "CompanyX - Database Security: 2-wk Implementation."

Your offer Title must not include your company name unless it is also a product name. For example, "CompanyX 3-Wk Assessment."

The offer type must match the type specified during submission.

800.4 Summary and description

The Summary and Description must provide enough detail for customers to clearly understand your offer, including:

  • Service deliverables and outcomes.
  • Agendas for workshops longer than one day.
  • Detailed itemization of briefing and workshop topics.

Any Applicable Products and keywords defined during submission must be directly relevant to the offer.

If mentioned in the summary or description, the offer type must match the type specified during submission.

800.4.1 Quality

Duplicate Description The descriptions cannot be the same for multiple offers. Each description should accurately represent and differentiate the services associated with the offers. 7For more information, please see:

Missing Estimated Price Rationale If you provide an estimated price, an explanation of why it is estimated and what factors influence the final price must be included in the description. Please update the description with this information and resubmit your offer.
Example: Price is based on scope of work

For more information, please see:

Extraneous Content in Description Your description includes a notable amount of marketing or promotional information not directly relevant to the offer. Please remove the extraneous content and resubmit your offer. For more information, please see:

800.4.2 Content

Summary

Please briefly describe the purpose or goal of your offer in 200 characters or fewer. Your summary cannot be the same text as the title of the offer. This will be displayed in the search box and must be different from the name of the offer.

Example: Free 2 hour assessment on how to use Office 365 and SharePoint with Power Apps, Power Automate, Dataverse, and Power BI by industry leading partner, trainer, and thought leaders. See Offer Listings.

Primary Product Content

Explain how the primary product is part of this offer by specifically mentioning it and making it clear. Our goal is not to just publish your offer, but to drive more leads that will help move your business forward. It needs to be clear to the potential customer how your service is going to help their business. See Primary products and online stores.

Deliverables and Outcomes

Your description needs to have deliverables and outcomes using Markdown language for bullet points. Examples:


### Deliverables 
* List of applicable solutions that can be built using Office 365, SharePoint, Power Apps, Flow, Power BI, > and Dataverse 
* Skill gap assessment of your current staff 
* License review 
* Recommendations on where and how to start using Power Apps, Flow, CDS, and Power BI with SharePoint and > Office 365 
 
You may format your description using Markdown formatting (### Header, * Bullet, *Italics*, **Bold**) or simple HTML. Partner Center also allows rich text formatting. 

If you are using HTML, check the PREVIEW before you go live. You may want to switch to Markdown formatting if the bullets aren’t rendering properly.

See Offer Listings.

Agenda

Workshops longer than a day should include a clear daily or weekly agenda in the description. Please see examples below:


### Agenda 
* Day 1: Dashboard-in-a-Day using Power BI 
* Day 2: Design the reporting platform for your enterprise 
* Day 3: Develop and deploy the relevant visualizations on the Power BI reporting platform 
* Day 4 & 5: Remote Support

Or

### Weekly Agenda 
* Week 1: Design the reporting platform for your enterprise 
* Week 2: Develop and deploy the relevant visualizations on the Power BI reporting platform 
* Week 3: Remote Support 
 
You may format your description using Markdown formatting (### Header, * Bullet, *Italics*, **Bold**)  or simple HTML. Partner Center also allows rich text formatting.  

If you are using HTML, check the PREVIEW before you go live. You may want to switch to Markdown formatting if the bullets aren’t rendering properly.   See Offer Listings.

Topics for Briefings

Briefings should include at least four bullets with information on topics to be covered, using Markdown formatting for the bullet points. Examples:


**What does this Briefing include?**
 
* Review your existing Microsoft Excel or Microsoft Access based business processes
* Discuss your current goals and limitations
* The alternatives and approaches with Power Platform
* Review the licensing options and costs
* Discuss the "Citizen Developer" capabilities

You may format your description using HTML. Links to external resources (such as license agreements) should be properly HTML formatted for readability and useability (“clickability”) instead of being plain text URL strings. If you do so, check the Preview before you go live.   If you are using HTML, check the PREVIEW before you go live. You may want to switch to Markdown formatting if the bullets aren’t rendering properly.   See Offer Listings.

Omits Microsoft Cloud Solutions Aspects

The description of your offer must clearly state how it leverages or relates to [Choose one: Microsoft Azure, Microsoft Power BI, etc.] cloud services value propositions, and state how the offer is providing a professional service for the selected primary product. Update the description and resubmit your offer.

See Offer Listings.

Contact Info in Description

The description of your offer should not contain contact information. However, it may direct customers to the "Contact Me" button on the offer page to start a discussion. Update the description and resubmit your offer

800.5 Supporting documents

Your listing may include supporting documents with further information for your offer. Documents may feature Microsoft competing products only in the context of migration to Microsoft products.

1000 Software as a Service (SaaS)

The policies listed in this section apply only to SaaS offers.

1000.1 Value proposition and offer requirements

For your SaaS offer to be listed on Azure Marketplace, it must be substantially built on Microsoft Azure (example: more than 50% of your offer’s infrastructure must use repeatable IP code on Azure).

If your offer requires resources to be deployed in the customer’s tenant (for example, to connect to a database), the following additional requirements apply:

  • You may be asked to provide additional documentation regarding which Azure resources will need to be deployed in the customer’s Azure subscription and how these resources are managed.
  • You must provision the resources in a secure manner. For example, using Azure Role Based Access Control (RBAC), Azure Active Directory Service Principals, or Azure Lighthouse.

For your offer to be listed on AppSource, it must meet these criteria:

  • Integrate with or extend a Microsoft service or product and your offer must describe how it does so.
  • Accept single sign-on from work accounts from any company or organization that has Azure Active Directory (AAD). More information is at Get AppSource certified for Azure Active Directory.

1000.2 Offer targets

Offer categories may only include Internet of things (IoT), if the offer supports Azure IoT Services such as IoT Hub or Device Provisioning Service (DPS), and the partner has been approved by the IoT team.

1000.3 Authentication options

If you choose to sell through Microsoft, the marketplace buyer must be able to activate their subscription using the Azure Active Directory (Azure AD) log in information that they used to purchase your marketplace offer. This means that your offer landing page and your application must allow the marketplace buyer to log in using Azure AD Single Sign-On (SSO). If you process transactions independently using the Get it now or Free trial options, the marketplace user that acquires your offer must be able to log in to your application using Azure AD SSO.

Offers must support both Azure AD and Microsoft Account (MSA) types.

You must limit your Microsoft Graph API request(s) to use only the "User.Read" permissions during the marketplace subscription activation process. Requests requiring additional permissions can be made after the subscription activation process has been completed. See Microsoft’s guidance on incremental consent to learn more.

1000.4 SaaS Fulfillment and Metering APIs

Correctly integrating with the SaaS Fulfillment APIs is a requirement for creating and publishing a transactable SaaS offer in Partner Center. This integration should be maintained for as long as the offer is in Marketplace.

See the technical SaaS fulfillment APIs guidelines.

Please bear in mind that while SaaS metering is optional, the fulfillment API docs do not include the metering service docs. You must additionally integrate with the metering API if you have a SaaS offer that uses meters.

1000.5 Microsoft 365 App and Add-In Linking

Microsoft 365 apps and add-ins linked to your SaaS offer must extend your SaaS offer's user experience and functionality. In addition:

  • You must be the publisher of both the SaaS offer and the app or add-in(s), or
  • You must provide written authorization from the publisher of the SaaS offer or app or add-in to which you are trying to link your offer.

1100 Microsoft 365

The policies listed in this section apply only to Microsoft 365 offers, formerly known as Office 365 offers.

1100.1 General content

Your offer listing must only describe your app or add-in, and not include advertising for other offers.

Your offer description must disclose any app or add-in features or content that require an extra charge, whether through in-app or add-in purchases or through other means.

If your product offers in-app purchases, you must select the "My product requires purchase of a service or offers additional in-app purchases" check box on the Product Setup tab when submitting your offer via Partner Center.

Office add-ins must have a clear value proposition and provide a seamless first run experience (FRE). If users must sign in or sign up to use the add-in, the value proposition must be clear to the user before they do so.

1100.2 Displaying ads

Apps or add-ins can contain ads.

  • The primary purpose of the app or add-in must be more than displaying advertisements.
  • Ads must comply with our content policies and should match our ad design guidelines.
  • Ads should not interfere with app or add-in functionality.

1100.3 Selling additional features

Apps or add-ins running on mobile must not offer any additional features or content for sale.

1100.4 Predictable behavior

Your app or add-in must not make unexpected changes to a user's document.

Your app or add-in must not launch functionality outside of the app or add-in experience without the explicit permission of the user.

Your app experience must not prompt a user to disclose the credentials of a Microsoft identity (for example, Microsoft 365 (formerly called Office 365) or Microsoft Azure Organizational Account, Microsoft Account, or Windows Domain Account) except through Microsoft approved OAuth flow, where your app is authorized to act on behalf of the user.

1100.5 Customer control

Your app or add-in must obtain consent to publish personal information.

Your app or add-in must not obtain, store, pass, or transmit customer information or content without notifying the user.

Your app or add-in must be secured with a valid and trusted SSL certificate (HTTPS).

Your app or add-in may not open pop-up windows unless they are triggered by explicit user action. Pop-up windows must not be blocked by the browser's pop-up blocker when the blocker is set to the default value.

Your app or add-in may not request unreasonably high permissions or full-control permission.

Your app or add-in must have a correctly sized and formatted icon specified in the package or manifest.

Add-ins that depend on external accounts or services must provide a clear and simple sign in/sign out and sign-up experience.

Apps or add-ins that target larger organizations or enterprises:

  • Do not require a sign-in experience for external accounts or services if sign-ups are managed by the enterprise outside of the app or add-in and not by the individual user.
  • Do not require a seamless first run experience and value proposition but must include an email contact or link in the UI so users can learn more about your services.
  • Please refer to this blog post to learn more.

1100.6 Global audience

You must provide details on the offer submission form if your app or add-in calls, supports, contains, or uses cryptography.

1100.7 Easy identification

You must specify language support for your app or add-in within the package manifest. The primary language selected when you submit your offer must be one of the specified supported languages. The app or add-in experience must be reasonably similar in each supported language.

The title may not include your brand or service unless your offer targets a larger organization or enterprise.

  • Microsoft Teams apps may not include the brand or service in the title.

Your app or add-in must not be a duplicate of an app or add-in you have already submitted.

1100.8 Preserving functionality

If you update your app or add-in's pricing or licensing terms, you must continue to offer the original functionality to the existing user base at the original pricing. New pricing and/or licensing terms may only apply to new users.

  • If you update your pricing from free to paid, existing users must receive the same level of functionality as before the update.
  • If you update site license pricing from free to paid or not supported, existing users must continue to be supported for free.
  • Apps or add-ins may convert from free to subscription pricing as long as existing users receive the same level of functionality as before the update. Converting from paid to subscription pricing is not currently supported.

1120 Office add-ins: Word, Excel, PowerPoint, and Outlook

The policies listed in this section apply only to Office add-in offers.

1120.1 Offer requirements

All Office add-ins must use the latest version of the Microsoft-hosted Office.js file at https://appsforoffice.microsoft.com/lib/1/hosted/office.js.

All Office add-ins must use the latest manifest schema.

Specify a valid Support URL in the SupportURL element of your add-in manifest.

A high-resolution icon is mandatory.

Source location must point to a valid web address.

The version number in the app package updates must be incremented.

1120.2 Mobile requirements

Office add-ins also available on iOS or Android:

  • Must not include any in-app purchases, trial offers, UI that aims to up-sell to paid versions, or links to any online stores where users can purchase or acquire other content, apps, or add-ins.
    • The iOS or Android version of the add-in must not show any UI or language or link to any other apps, add-ins, or website that ask the user to pay. If the add-in requires an account, accounts may only be created if there is no charge; the use of the term "free" or "free account" is not allowed. You may determine whether the account is active indefinitely or for a limited time, but if the account expires, no UI, text, or links indicating the need to pay may be shown.
  • The associated Privacy Policy and Terms of Use pages must also be free of any commerce UI or Store links.
  • Must comply with the Outlook add-in design guidelines.

For Office add-ins also available on iOS:

  • You must accept Apple's Terms and Conditions by selecting the appropriate checkbox on the Partner Center app submission form.
  • Your add-in must be compliant with all relevant Apple App Store policies.
  • You must provide a valid Apple ID.

Outlook add-ins with mobile support receive additional design review during validation, which adds to the required validation time. Outlook add-in design guidelines (link above)) describes how your offer will be evaluated during the design review.

1120.3 Functionality

Add-ins must follow design guidelines without impeding the customer experience within the host application.

Your app or add-in must be fully functional with the supported operating systems, browsers, and devices for Office 2016, SharePoint 2013, and Office 365.

  • Your add-in will be tested and evaluated on Windows 10 (build 1903+ on Edge Legacy and earlier builds prior to 1903 with Internet Explorer 11).
  • All features must work on a touch-only device without a physical keyboard or mouse.
  • Your app or add-in must not utilize deprecated functionality.
  • Your add-in may not alter or promote the alteration of Office or SharePoint except via the Office and SharePoint add-ins model.

Add-ins must be compatible with the latest versions of Microsoft Edge, Google Chrome, Mozilla Firefox, and Apple Safari (macOS). Internet Explorer (IE) in Windows is still used in many Office configurations as noted in Browsers used by Office Add-ins. We recommend supporting IE, but if your add-in does not, you should advise users to install the latest Office version. For details, see Determine at runtime if the add-in is running in Internet Explorer.

Add-ins must work in all Office applications specified in the Hosts element in the add-in manifest.

Add-ins must work across all platforms that support methods defined in the Requirements element in the add-in manifest, with the following platform-specific requirements:

  • Add-ins must support Office on web and Mac applications compatible with the APIs listed in the Requirements element.
  • Add-ins that support iOS must be fully functional on the latest iPad device using the latest version of iOS.
  • Add-ins that use the task pane manifest must support add-in commands.
  • Content add-ins for PowerPoint may not activate their content (such as play audio or video) until after the JavaScript API for Office Office.initialize event has been called. This ensures that content display will correctly synchronize with presentations.

To help ensure an efficient validation process, if your add-in supports Single Sign-On, you must provide certification test notes explaining how your add-in uses SSO and what functionality in the add-in uses it. This information is required to ensure the validation team can test the fallback implementation. Offers that support Single Sign-On (SSO) must follow the SSO guidelines and include a fallback authentication method.

1120.4 Outlook add-ins functionality

The policies listed in this section apply only to Outlook add-in offers.

  • All Outlook add-ins must support Outlook on the Web (Modern).
  • Outlook on the Web (Classic) is preferred but optional for requirement sets of 1.5 or lower.
  • Outlook add-ins must not include the CustomPane extension point in the VersionOverrides node.
  • Outlook add-ins that support mobile must allow users to log on separately for each email account added to the Outlook app.
  • Add-in commands must be supported if your add-in is shown on every message or appointment, whether in read or compose mode.
  • If your add-in manifest includes the SupportPinning element for read mode of a message and/or appointment, the pinned content of the add-in must not be static and must clearly display data related to the message and/or appointment that is open or selected in the mailbox.
  • Outlook add-ins must not include the ItemSend event in the Events extension point.
  • If your add-in can use the AppendOnSend feature, you must include a disclosure in your offer description noting in what conditions the option is used and what information is being inserted (for example, "If configured to do so, this add-in appends legal disclaimers to email sent by the user").
  • If your add-in uses the Event Based Activation feature, you must include a disclosure in your offer description noting what information is being inserted in what events or conditions (for example, "Defined Signature will be inserted in Mail subject on composing new e-mail"). To help ensure an efficient validation process, when submitting your offer you must provide certification test notes explaining how to configure and test scenarios for auto launch events in your add-in.
  • Add-ins must not include the “Block” SendMode when using LaunchEvents “OnMessageSend” and/or “onAppointmentSend".

1120.5 Excel custom functions

The policies listed in this section apply only to Excel offers.

1120.5.1 Offer information and support contacts

Your custom functions metadata must have the helpUrl property set.

1120.5.2 Security

To help to ensure the security of your app and users, your custom functions HTML, Javascript, and JSON metadata files must be hosted on the same domain.

1120.5.3 Functionality

Add-ins that contain custom functions must support add-in commands. This is to ensure that users can easily discover your add-in.

Your add-in must work across all platforms that support custom functions.

After an add-in is approved using the EquivalentAddins tag in the manifest, all future updates to the add-in must include this tag. This tag ensures that your custom functions save in XLL-compatible mode.

1120.5.4 Validation

To help ensure an efficient validation process, if your add-in contains custom functions, you must provide certification test notes for at least one custom function to validate them on submission.

1140 Teams

The policies listed in this section apply only to Teams offers.

Refer to the Teams store validation guidelines to get a better understanding of these policies and to increase the likelihood of your app passing the Microsoft Teams store validation process.

1140.1 Value proposition and offer requirements

1140.1.1 App Name

Teams app names must not copy or mimic the title of an existing Teams app or other offer in the commercial marketplace.

Common nouns must be prefixed or suffixed with the publisher’s name (for example, "XYZ Tasks" rather than "Tasks").

1140.1.2 Workplace appropriateness

All content should be suitable for general workplace consumption. Apps must be collaborative and designed for multiple participants. Apps catering to team bonding and socializing needs of Microsoft Teams users may be published. Such apps should not require intense time investment or perceptively impact productivity.

1140.1.3 Other platforms and services

Teams apps must focus on the Teams experience and must not include names, icons, or imagery of other similar chat-based collaborative platforms or services unless the apps provide specific interoperability.

1140.1.4 Access to services

If your app requires an account or service, you must provide a clear way for the user to sign in, sign out, and sign up across all capabilities in your app. Teams apps that depend on authentication to an external service to allow content sharing in channels, must clearly state in their help documentation or similar location how a user can disconnect or unshare any shared content if the same feature is supported on the external service. The ability to unshare the content does not have to be present in the Teams app, but the process should be clearly documented, and the documentation should be accessible from within the app.

1140.3 Security

1140.3.1 Financial transactions

Financial transaction details must not be transmitted to users through a bot interface. Apps may only receive payment information through a user interface linked to a secure purchase API. Apps may only link to secure payment services if the link is disclosed in the App's terms of use, privacy policy, app description, and any profile page or associated website before the user agrees to use the app.

No payment shall be made through an app for goods or services prohibited by General policy 100.10 Inappropriate content.

1140.3.2 Bots and messaging extensions

Bots and Messaging Extensions must follow privacy notice requirements as communicated in the Developer Code of Conduct for the Microsoft Bot Framework and must operate in accordance with the requirements set forth in the Microsoft Bot Framework Online Services Agreement and Developer Code of Conduct for the Microsoft Bot Framework.

1140.3.3 External domains

Domains outside of your organization's control (including wildcards) and tunneling services cannot be included in the valid domains of your manifest, except in the following conditions:

  • If you are using OAuthCard, Token.botframework.com must be in the valid domains list.
  • Teams apps that require their own SharePoint URLs to function may include {teamsitedomain} in their valid domain list.
  • Teams apps built on the Microsoft Power Platform may include apps.powerapps.com in their valid domain list, to enable app to be accessible within Teams.

1140.4 Functionality

1140.4.1 General

App packages must be correctly formatted and conform to the latest release of the manifest schema.

Apps may not launch functionality outside of the Microsoft Teams app experience without the explicit permission of the user.

Graph API permissions requested by apps should align with business scenarios.

Compatibility: Teams apps must be fully functional on the latest versions of the following operating systems and browsers:

  • Microsoft Windows
  • macOS
  • Microsoft Edge
  • Google Chrome
  • iOS
  • Android

For other unsupported operating systems and browsers, apps must provide a graceful failure message.

Response time: Teams apps must respond within a reasonable time frame.

  • Tabs must load within two seconds or display a loading message or warning.
  • Bots must respond to user commands within two seconds or display a typing indicator.
  • Messaging extensions must respond to user commands within two seconds.
  • Notifications based on user actions must be displayed within two seconds.

App listing must contain a minimum of 3 screenshots depicting the app functionality in Teams. Screenshots must also depict app functionality in the Teams mobile clients, where supported.

Videos provided in the app listing must not be more than 90 seconds in duration and must only show how the app works in Teams. You must turn off ads in YouTube/Vimeo settings before submitting the video link in Partner Center.

You must provide test accounts and / or fully configured test environments that are valid in perpetuity (till app is live on the Teams store) for continuous health evaluation of your app.

Apps from the same developer offering the same functionality must share an app listing unless;

  • privacy compliance requirements mandate separate app listings or
  • required to support government cloud.

1140.4.2 Tabs

Teams apps must follow Teams tab design guidelines without impeding the customer experience within the host application.

  • Tab experiences must provide value beyond hosting an existing website.
  • Tabs should not have excessive chrome or layered navigation.
  • Tabs must not provide navigation that conflicts with the primary Teams navigation.
  • Tabs should not allow users to navigate outside of Teams for the core experience.
  • Content in channel tabs must be contextually the same for all members of the channel and must not be scoped for individual use.
  • Configurable tabs are collaborative spaces and should have focused functionality.
  • Tab configuration must happen in the configuration screen, which must clearly explain the value of the experience and how to configure.

1140.4.3 Bots

Teams apps must follow Teams bot design guidelines without impeding the customer experience within the host application.

Bot information in the app manifest must be consistent with the bot's Bot Framework metadata (bot name, logo, privacy link, and terms of service link).

Bots must be responsive and fail gracefully.

Bots must not spam users by sending multiple messages in short succession. Avoid multi turn conversations in a bot response.

Bots in personal scope must send a welcome message on first launch.

Bots in collaborative scope must send a welcome message on first launch if the app has a complex configuration workflow.

Welcome message must follow Bot welcome message guidelines.

Bots in collaborative scope must provide user interaction value in the same scope.

At least one bot command must be listed in the manifest for each scope supported by the bot. Listed bot commands must contain clear command title and description.

Bot commands must not include special characters such as “/”

1140.4.4 Messaging extensions

Teams apps must follow Teams messaging extension design guidelines without impeding the customer experience within the host application.

Action Commands:

  • For action commands triggered from a chat message or channel post, calls to action in apps must incorporate the host app name instead of only using a generic verb (for example, "Start a Skype Meeting" rather than "Start Meeting", "Upload file to DocuSign" rather than "Upload file", and so on).
  • Action commands triggered from a chat message or channel post should leverage the context of the conversation and must not ask users to re-enter this information.

Search commands:

  • Search commands in messaging extensions should enable users to see real-time search results as they type text.
  • Search commands in messaging extensions must provide text that helps users search effectively.

Preview links (link unfurling):

Do not add domains that are outside your control (either absolute URLs or wildcards). For example, yourapp.onmicrosoft.com is valid but *.onmicrosoft.com is not valid. Top-level domains are also prohibited (for example, *.com or *.org).

1140.4.5 Task modules

Teams apps must follow Teams task module design guidelines without impeding the customer experience within the host application.

Task modules should not embed an entire app. Task modules should only display the components required to complete a specific action.

1140.4.6 Meeting extensions

Teams apps must follow Teams meeting extension design guidelines without impeding the customer experience within the host application. Teams meeting apps must provide a responsive in-meeting experience aligned with the Teams meeting experience. If an app offers a pre-meeting or post-meeting experience, these must be relevant to the meeting workflow. In-meeting experience must not take users outside the Teams meeting for core experiences. Apps must provide value beyond only offering custom Together Mode scenes in Teams meetings.

1140.4.7 Notification APIs

Notifications must provide value to the user.

Apps must not spam users by sending multiple notifications in quick succession.

Users must not be redirected outside of Teams when clicking a notification.

1140.4.8 Mobile experience

Teams apps should offer an appropriate cross device mobile experience.

App experiences on iOS and Android:

  • Must not include any in-app purchases, trial offers, UI that aims to up-sell to paid versions, or links to any online stores where users can purchase or acquire other content, apps, or add-ins.
  • Must not show any UI or language or link to any other apps, add-ins, or websites that ask the user to pay. If the add-in requires an account, accounts may only be created if there is no charge; the use of the term "free" or "free account" is not allowed. You may determine whether the account is active indefinitely or for a limited time, but if the account expires, no UI, text, or links indicating the need to pay may be shown.
  • The associated Privacy Policy and Terms of Use pages must also be free of any commerce UI or Store links.

You must provide a valid Apple App Store Connect Team ID in your Partner Center account to enable users to acquire and install your app from the Teams App Store on Teams mobile clients.

1140.5 Teams app linked to Software as a Service (SaaS) offers

The following additional requirements apply for Teams apps linked to a Software as a Service (SaaS) offer.

1140.5.1 Manifest and metadata requirements

  • The manifest for the Teams app must completely and accurately define the SubscriptionOffer details and OfferID of the linked SaaS offer.
  • The SaaS offer linked to the Teams app must meet all requirements defined in 1000 Software as a Service (SaaS).
  • The SaaS offer linked to the Teams app must be live in AppSource and must have at least one plan with pricing.
  • Available pricing plans for the SaaS offer must use a per-user pricing model.
  • Offer metadata should match across the Teams manifest, the Teams app listing in AppSource, and the SaaS offer in AppSource.
  • Plan descriptions and pricing details must provide enough information for users to clearly understand the offer listings.
  • Any limitations or specialized purchase flows must be clearly called out in the app metadata and pricing plan details.

1140.5.2 Purchasing and managing subscriptions

Users must be able to complete the end-to-end purchase flows with adequate information at each step.

  • Users completing a purchase must be able to activate and configure the subscription in the SaaS application.
  • Users completing a purchase must be able to manage licenses, including assigning and removing licenses, reassigning licenses among users, and authorizing users to manage licenses.
  • Any modifications in purchased licenses or plans must be reflected in the SaaS application with correct license counts, subscription details, and user assignments.

Admin users must be able to complete end-to-end bulk purchase flows from the Microsoft Teams Admin Center.

After successful purchase and assignment of licenses, your offer must provide enough value to justify the purchase and users must have access to the subscribed plan features in Teams.

1140.5.3 Testability and technical requirements

For testing purposes, your Teams app submission to Partner Center must include an end-to-end (E2E) functional document, linked SaaS offer configuration steps, and instructions for license and user management as part of the Notes for Certification.

The offer must meet all the technical requirements for Teams apps linked to a SaaS offer.

1140.6 Publisher Attestation

Teams apps must complete Publisher Attestation in Partner Center.

1140.7 Advertising

Teams apps may not include advertising.

1160 SharePoint add-in

The policies listed in this section apply only to SharePoint add-in offers.

1160.1 Security

Add-ins must not have any unauthenticated pages or APIs, except for the error page.

  • An unauthenticated error page should not link to other pages or other protected resources of the add-in.

If the solution requires full trust (formerly known as high trust) permissions, you will need to follow the guidelines from this Developer Blog post.

1160.2 Functionality

SharePoint add-ins must be fully functional with Windows 7, Windows 10, all versions of Internet Explorer 11 and later, and the latest versions of Microsoft Edge, Google Chrome, and Mozilla Firefox.

Add-ins designed for the modern SharePoint experience are not required to support the classic SharePoint experience. If your add-in supports only the classic experience, you must include that limitation in your add-in description.

Add-ins must not have remote debugging settings enabled. The manifest for your add-in must not include the DebugInfo element.

1170 SharePoint Framework Solutions

The policies listed in this section apply only to SharePoint Framework Solutions offers.

1170.1 Value proposition and offer requirements

SharePoint Framework (SPFx) solutions must clearly declare in the description the type of SPFx components that are included in the package.

1170.2 Security

SharePoint Framework solutions can request any permissions with the solution manifest. High permissions requests will need to be justified and clarified as part of the solution submission process.

Needed permissions must be automatically configurable with the manifest file.

1170.3 Functionality

SharePoint Framework (SPFx) solutions must be correctly formatted and conform to the latest SPFx versions.

Solutions must be fully functional with Windows 10 and the latest versions of Microsoft Edge, Google Chrome, and Mozilla Firefox. Solutions are only required to be tested in the non-root site of a modern SharePoint site. Test SPFx solutions on /appsmod only.

Response times must be reasonable. Responses that take more than three seconds must display a loading message or warning.

1170.4 Branding and advertising

SharePoint Framework solutions may not include advertising.

1170.5 Validation

SharePoint Framework (SPFx) solutions must be submitted with full configuration instructions in the Notes for Certification.

Offers should include the E2E functional document. Alternatively, SPFx solution functionality demonstration video links can be included in the Notes for Certification.

1180 Power BI visuals

The policies listed in this section apply only to Power BI offers.

1180.1 Acquisition, pricing, and terms

Power BI visuals must be free but can offer additional purchases.

1180.2 Functionality

Your visual must support Power BI Desktop, Power BI Online, Power BI mobile apps, and Power BI Windows universal apps. It must be compatible with supported operating systems, browsers, and devices for Power BI, including touch-only devices without a physical keyboard or mouse.

All visuals must support the context menu (right click menu). You can learn more about the context menu here.

Your visual must support the core functions of Power BI for that visual type, including but not limited to pinning to dashboard, filtering focus mode, and formatting various data types.

Data type support will be evaluated based on the following tests:

  • String values
  • Empty values
  • Negative values
  • Lots of rows (at least 20,000 rows)
  • Large numbers of 16 digits

Your visual must not launch functionality outside of the visual experience without the explicit permission of the user.

Your visual and its description must not prompt the user to install any additional files.

Your visual must not prompt a user to disclose the credentials of a Microsoft identity (for example, Microsoft 365 (formerly called Office 365) or Microsoft Azure Organizational Account, Microsoft Account, or Windows Domain Account) except through Microsoft approved OAuth flow, where your visual is authorized to act on behalf of the user.

Your visual may not open pop-up windows unless they are triggered by explicit user action. Pop-up windows must not be blocked by the browser's pop-up blocker when the blocker is set to the default value.

Your visual may not request unreasonably high permissions or full-control permission.

Visuals that depend on external accounts or services must provide a clear and simple sign in/sign out and sign-up experience.

Power BI visuals must be accompanied by a sample file in .pbix format. The version and content of the .pbiviz file should match the corresponding visual contained in the .pbix sample file. For the best user experience, consider adding Hits and Tips for using the visual to the sample file.

1200 Power BI visuals additional certification

The policies listed in this section apply only to Power BI visuals offers.

1200.1 Certification requirements

1200.1.1 Code repository

Your visual source code must conform to the visual code repository requirements.

The code repository for your visual should be available and correctly formatted.

1200.1.2 Code quality

Your source code should be readable, maintainable, expose no functionality errors, and correspond to the provided visual's package.

1200.1.3 Code security

Your source code should comply with all security and privacy policies. Source code must be safe and not pass or transmit customer data externally.

1200.1.4 Code functionality

Running visual development related commands on top of your visual source code should not return any errors.

Visual consumption should not expose any errors or failures and must ensure the functionality of any previous version is preserved.

1200.1.5 Update without advanced certification

Power BI Visual additional certification does not apply automatically to updated visuals. All updates to certified Power BI Visuals must also be certified as part of the submission process.

1200.2 Duplicate offers

Visuals that rely on access to external services or resources are not eligible to be certified Power BI visuals.

You may submit duplicate versions of visuals to the Marketplace: a non-certified version that uses external services or resources, and a certified version that does not use external services or resources. The offer that accesses external services or resources must clearly state so in the description.

1240 Power BI Template Apps

To ensure customers have an accurate understanding of your offer, please follow these additional listing requirements for Power BI App offers.

1240.1 Value Proposition and Offer Requirements

Offer titles must not include "(Preview)".

Descriptions and summaries should not use the deprecated term "content packs". New app offers may use the term "template apps".

1240.2 Technical Validation

Publisher ownership of the offer must be verifiable.

Offer updates should use the same Power BI tenant and workspace as previous offer versions.

Power BI apps may not be published more than once via different offers.

Offers should successfully install within two minutes and load within thirty seconds.

All UI aspects should be publication ready. This includes:

  • Overall look and feel
  • Reports and dashboards
  • Titles
  • Visuals and text
  • Logos and graphics
  • Content (static and generated)

Organization-specific Power BI visuals may not be used.

Sample data is not supported for new (not yet published) offers. Offers must be able to connect with customer data.

When "Connect Data" is available, test accounts, parameters, and/or additional instructions must be included in the offer's validation instructions, and custom parameters should not produce any errors.

1400 Dynamics 365 Business Central

The policies listed in this section apply only to Dynamics 365 Business Central offers.

1400.1 Value proposition and offer requirements

For more information on any of the following marketing requirements, please see the marketing validation checklist.

1400.1.1 Language

Offer listings and all linked information, including any landing pages, graphics, documentation, and support options may be presented in languages other than English. If the listing is presented in a language other than English, a .pdf document with the offer name, summary, description, and support contact details translated into English must be included.

See Language, branding, and Microsoft images.

1400.1.2 Branding

Microsoft branding must be consistent throughout your communications:

  • "Microsoft Dynamics 365 Business Central" for first mention and all prominent locations (title, headings, and so on)
  • "Dynamics 365 Business Central" on second mention
  • "Business Central" on subsequent mentions

Microsoft trademarked imagery (including the Microsoft, Dynamics, and Business Central logos) may not be used.

See Language and branding.

1400.1.3 Name

Two naming structures are allowed for offer names:

  • (Your offer name) for Microsoft Dynamics 365 Business Central
    Example: Sales & Inventory Forecast for Microsoft Dynamics 365 Business Central
  • (Your offer name)
    Example: Sales & Inventory Forecast

See Offer name.

1400.1.4 Summary

Offer summaries must summarize the value proposition of your offer in one short and concise sentence.

See Offer summary.

1400.1.5 Description

Offer descriptions may be a maximum of 5,000 characters.

See Offer description.

Offer descriptions must clearly state which edition(s) (Essentials, Premium, or both), countries, and languages are supported by your offer. Please use the following template in your description:

Supported Editions
This app supports the Essentials and Premium Editions of Dynamics 365 Business Central
Supported Countries
Canada, Mexico, and United States
Supported Languages
This app is available in English (United States) and Spanish (Mexico).

See Supported editions and Supported countries.

1400.1.6 Keywords

If keywords are used, a maximum of three keywords may be provided.

See Supported products, keywords, and hide key.

1400.2 Graphic elements

For more information on any of the following marketing requirements, see the marketing validation checklist.

1400.2.1 Logos

Any text included in the logos must be legible.

See Offer logo.

1400.2.2 Screenshots

Screenshots of Business Central must show the latest web client user interface.

See Screenshots.

1400.2.3 Videos

Videos including Business Central must show the latest web client interface.

See Videos.

1400.3 Acquisition, pricing, and terms

Add-on apps may be either "Free", "Free or Trial", or "Contact me". Connect and Localization apps must be listed as "Contact Me".

See Industries, categories, app type.

Supported countries must be selected on submission.

See Supported countries, languages, app Version, and app release date.

1400.4 Offer information and support contacts

The offer Help Link and Support Link should not be identical, unless a single page covers all Help Link and Support Link requirements below.

  • The Help Link should be a landing page on your website that provides help resources such as documentation, FAQs, step-by-step guides, webinars, and so on.
  • The Support Link should be a distinct support page on your website, that includes contact options and documentation including defined service level agreements (SLAs). These should include at least two of the following options: email, phone number, live chat (if possible), and address.

See Help URL and Support URL.

The offer's Privacy Policy and Terms of Service links have the following requirements:

  • The Privacy Policy must include DPO contact details for customer enquiries regarding data usage.
  • The Terms of Service may be hosted on AppSource. If hosted on AppSource, they must be formatted in HTML.

See Privacy policy and terms of use.

The App Version field must be numeric and formatted as x.x.x.x. The version number must increment with every update and match the app.json manifest.

For more information see Supported countries, languages, app version, and app release date.

1400.5 Technical requirements

Offers must meet all of the requirements in the technical validation checklist.

1400.6 Business Central version functionality

Your add-on apps must function and your data must upgrade to the current version of Business Central Online. Add-on updates require recertification which must be submitted with sufficient lead time prior to a Business Central Online update release.

1420 Dynamics 365 apps on Dataverse and Power Apps

The policies listed in this section apply only to Dynamics 365 apps on Dataverse and Power Apps offers.

1420.1 Value proposition and offer requirements

Any feature changes between updates must be reflected in the marketing materials submitted to the Marketplace.

1420.2 Acquisition, pricing, and terms

Offers must be listed as either Free, Trial, Contact Me, or ISV app license management.

1420.3 Content requirements

The Offer Description field must be in plain text or simple HTML format and must include the full product name.

1420.4 Functionality

Any feature changes between updates must be re-certified when the offer is re-submitted. The entire solution package must be submitted with each update to ensure dependency issues are covered. The version number must be incremented with each update.

1420.5 Technical requirements

Offers must support:

  • Dynamics 365 v9.1 or above
  • Unified Client Interface (UCI) (Model Driven Apps only)

Offers must only use publicly available APIs.

Submitted packages must contain all required artifacts for publication on the Marketplace.

The end-to-end (E2E) functional document must be updated with functional scenarios and the user/admin journey.

Commercial marketplace offers must be recertified within six months of their last successful publish.

1420.6 Code validation

Canvas apps and Common Data Services solutions will have their code validated to check for the following:

  • Static formula errors and warnings.
  • Runtime errors (may occur once the app is opened in Run mode to view).
  • Accessibility errors.

See App certification checklist.

1420.7 Deployment validation

Offers will be installed to a PowerApps Environment using Package Deployer to ensure that:

  • Canvas apps successfully connect through provided connectors.
  • All Common Data Service components (entities, web resources, plug-ins, and other components) are available.
  • All associated components are properly removed upon uninstall.

See App certification checklist.

1420.8 Functionality validation

Offers should include the E2E functional document. Video links may be emailed as an alternative.

1420.9 Security validation

Apps will be checked for:

  • Connections to external data sources or connections that require access. Proper connection details should be included in the E2E functional document.
  • External connections out of PowerApps connectors.

Custom code provided inside Package Deployer will be validated before offer approval and checked for retrieval of customer data from the target environment.

1420.10 Sitemap validation

Published app customizations must not change or remove any out of box (OOB) site map.

1440 Dynamics 365 Operations Apps

The policies listed in this section apply only to Dynamics 365 Operations Apps offers.

See Requirements for publishing apps on AppSource.

1440.1 Content requirements

The following requirements must be met in the offer listing:

  • The Offer Description field must be in HTML format and must include the full product name.
  • The Contact Email and Phone Number fields must have valid, working values.
  • The Storefront Details > App Choice field must be set to "Contact me".
  • The CAR file must be uploaded using the Technical Info > Validation asset(s) field.

1440.2 Technical requirements

Offers must support the most current version of Dynamics 365.

Commercial marketplace offers must be recertified within six months of their last successful publish.

1440.3 Code validation

Offers must be validated to verify that custom code meets Microsoft guidelines.

Before submission, publishers must:

  • Successfully create a CAR without any localization, accessibility, performance, or security issues.
  • Publish a solution package with all the required artifacts to LCS and create a solution identifier (GUID) for the solution.

1440.4 Deployment validation

Offers must be validated to verify that a solution package can be successfully bundled and delivered in a Microsoft Dynamics 365 for Finance and Operations environment.

Before submission, publishers must:

  • Reference best practice information in the Migrate and Create methodology section of LCS.
  • Successfully deploy at least one Finance and Operations environment without any errors.
    • The environment configuration must be the same as the partner's reference environment.
    • Partner-supplied master and reference data must be able to be successfully pushed into the Finance and Operations environment without any errors.

1440.5 Functionality validation

During the functionality demonstration:

  • A user must be able to sign in to the environment without any errors.
  • Business transactions must be able to be completed as defined in the package scope without any errors.

3000 Requirements for Co-sell Status Tiers

The policies listed in this section apply only to offers pursuing Co-sell status. Requirements are tiered: all 3000.1 Co-sell ready status requirements must be satisfied in order to be eligible for 3000.2 Azure IP co-sell incentive status.

3000.1 Co-sell ready status

Your offer must be listed on the commercial marketplace.

Your offer must include a complete set of collateral documents (bill of materials), including a solution/offer pitch deck and a solution/offer one-pager.

You must have a business profile in Partner Center.

Your offer must have a dedicated sales contact for each region (country or geographical area) in which you would like to be eligible to co-sell.

Services partners must have a gold competency in any competency class.

3000.2 Azure IP co-sell incentive status

Offers must be built on or built for Azure.

Azure Applications, Azure Containers, IoT Edge Modules, SaaS, and VMs must meet the following requirements:

  • Your organization must meet or exceed $100,000 USD of Azure consumed revenue over a trailing 12-month period, or your offer must have a cumulative marketplace billed revenue of $100,000 USD.
  • For SaaS offers: more than 50% of your offer's infrastructure must run on Azure.

3000.3 Azure IP Co-Sell Program Deal Registration

Referral eligibility for IP Co-sell for Azure requires having an incentive-eligible offer that meets the following requirements and registering the deal through Partner Center.

3000.3.1 Segmentation

Deals must be signed with an Enterprise or SMC-Corporate customer.

3000.3.2 Opportunity Age

The opportunity must be created by the partner (through Partner Center) or by Microsoft (through MSX) and, except for partner-led deals, shared before the contract sign date or marketplace transaction date.

3000.3.3 Solution Tagging

The Azure IP Co-Sell incentive tag must be added.

3000.3.4 Timeline

Completed deals must be registered within 60 days after signing.

3000.3.5 Contract Parameters

The input contract value must be based on the entirety of the contract, not the annualized value. The registered value of the offer should match the total contract value and currency agreed upon by you and your customer.

The deal must be at least $25,000 USD in annual revenue, including your products, licenses, and IP solution related services, and should exclude any trial component, EA, and hardware components.

Start and end dates are required for the contract duration. If the contract term is 6 or more years or there is no defined term or end date, the perpetual partner license should be selected.

4000 Microsoft 365 Application Compliance

M365 Certification requirements can be found on the M365 App Compliance page. Most requirements must be met for successful certification. If you are interested in applying for M365 Certification, please contact appcert@microsoft.com. If any significant changes happen after you receive certification, the team must be notified of the changes.

Once certified, information on M365 Certification for your application is available at https://aka.ms/appcertification.

Next steps

Visit the commercial marketplace publishing guide.

Return to the commercial marketplace policies and terms.