Automate Microsoft 365 Certification with ACAT
The App Compliance Automation Tool (ACAT) can be used to meet a specific set of required controls for Microsoft 365 Certification. This article outlines how to use ACAT to expedite the Microsoft 365 Certification.
Note
ACAT is currently in public preview and only supports apps built on Microsoft Azure and Amazon Web Services (AWS). Future updates will include functionality for apps built on other clouds.
Note
If you would like to provide feedback to ACAT public preview, please complete this form. The ACAT product team will follow up with you as soon as possible once we get your messages.
ACAT gives added visibility into the compliance of an application via custom reporting. Users can create reports based on the cloud infrastructure or a specific environment of an app, for example, production, staging, etc.
- Search and launch App Compliance Automation Tool for Microsoft 365 in Azure portal.
- Select
Reports
on the left hand side of the screen.
Select
Create new report
to create your first compliance report.- Basics
- Report name: The compliance report must have a unique and nonduplicative name within the tenant, consisting of a combination of numbers, letters, and underscores. It's advisable to include the specific app name or environment name in the report's name.
- Trigger time: ACAT performs daily updates of compliance assessments for the report, providing the flexibility to set a specific time for refreshing assessments in a designated timezone.
- Resources: Define the compliance boundary for your report by selecting resources from your cloud infrastructure. Utilize the filters to search proper resources, for example, subscription, resource group, tags, and more for Azure, account ID and type for AWS.
Tip
You need to create new connection with AWS or reuse existing connection with AWS before selecting AWS resources for report.
- Microsoft 365 Certification
- Offer GUID: The offer GUID serves as a unique identifier for marketplace offer in Microsoft Partner Center, and it's the key to connect the compliance report with marketplace offers. After connecting compliance report with marketplace offers, you could use the compliance report to expedite the Microsoft 365 Certification process for your marketplace offers in Partner Center. Select on Learn more to obtain how to get your app's offer GUID. This step is optional during the initial report creation and can be configured when you commence publishing your app.
- Basics
Note
After confirming the configuration and creating the compliance report, ACAT will also complete these actions automatically to collect compliance-related data:
- Enable the Microsoft Defender for Cloud (free tier) and Automation service (free) for your subscription.
- Enable custom policies for your subscription.
Note
Kindly allow 24 hours for ACAT to generate the initial compliance assessments for your report based on your specified preferences.
Review the run-time status of the compliance reports and conduct audits on compliance assessments.
Go to
Reports
on the left for a summary of existing compliance reports.- Run-time status shows the status of the most recent updates for compliance assessments:
- Active: The compliance assessments for this report have been successfully updated.
- Failed: ACAT encountered a failure in updating the compliance assessments during the most recent refresh. Failures may stem from incorrect subscription configurations or a system issue with ACAT. Refer to the self-recovery guidance provided to address and resolve the issue.
- Disabled: The compliance report had been disabled (paused) manually by the user. This feature isn't currently enabled in public preview.
- Created At: The Created At show when the compliance report is created.
- Last trigger time and Next trigger time: ACAT updates compliance assessments for reports daily. The Last trigger time signifies when the last update was initiated, while the Next trigger time indicates the scheduled time for the next report update.
- Microsoft 365 Certification: Review the compliance status of controls specific to Microsoft 365 Certification.
- Run-time status shows the status of the most recent updates for compliance assessments:
In addition to accessing high-level summaries of existing compliance reports, you can delve into the details of each compliance assessment. Select on the report name to retrieve specific assessment details for a more thorough audit.
ACAT provides a toolbar that allows you to perform the following actions:
Settings: Modify the configuration of the compliance report.
- Edit basic information: Edit the basic configuration of the report.
- Edit resources: Add or remove resources based on the current cloud infrastructure.
- Edit application configuration: Edit the application configuration to align your report with the appropriate control set. ACAT may adjust default status of certain controls based on your configuration, for example, some controls may be changed to 'N/A' status by default.
- Edit Microsoft 365 Certification configuration: Configure offer GUIDs to associate the report with marketplace offers in Microsoft Partner Center.
- Config evidence repository: Configure the evidence repository to store uploaded evidence.
Download report: Download assessments of the compliance report that can be shared with partners for collaboration.
- Assessment report for Microsoft 365 Certification review (Analyst Edition): This PDF report organizes the compliance assessments by Microsoft 365 Certification controls. If you choose the ACAT compliance report during the Initial Document phase of App Compliance in Partner Center, it's automatically delivered to the analyst for review. Additionally, you have the option to download and manually upload it as evidence if needed.
- Assessment report for engineer collaboration: This PDF report organizes the compliance assessments with internal information based on Microsoft Certification controls. It's utilized for internal team collaboration during compliance audits.
- Assessment report for engineer collaboration: This Excel report contains resource level information and corresponding compliance assessments for internal team collaboration during compliance audits.
- Cloud infrastructure inventory: This Excel report contains the resource details of this compliance report, providing a comprehensive description of the cloud inventory associated with your application.
Notifications: Get notifications of the compliance report settings change or control assessments status change. Learn more about how to receive notifications via webhook.
Integration with CI/CD pipeline: ACAT empowers you to maintain continuous and automated compliance for your application by seamlessly integrating with CI/CD pipelines. Learn more about how to integrate with GitHub Actions pipeline and how to integrate with other pipelines with REST APIs.
How to submit certification request with ACAT: Perform a rapid validation to ensure if this report is certification-ready and receive guidance on how to utilize it for certification in Partner Center.
View Architecture Diagram (preview): ACAT generates the architecture diagram for your reference based on Azure Resource Graph data.
ACAT empowers you to delve into more details about the report and compliance assessments.
Essentials indicates the status and the settings of the compliance report.
Control assessments - Microsoft 365 Certification view
- Control assessments are organized by Microsoft 365 Certification security domains, control families and controls.
- You can review the compliance status by customer responsibility at the individual control level.
- Within the customer responsibility section, choose 'Actions' to access the compliance status of associated resources and discover remediation steps for any failed resources.
- Use search and filters to find specific controls based on your needs.
- Search the controls by control name or customer responsibility name.
- Use
Control family
to filter by security domain or control family. - Use
Control status
to filter for current compliance failures. - Use
Customer responsibility type
to filter by ACAT automated CR type. - Use
Cloud environment
to filter out the customer responsibility for specific cloud environment.
- Learn more about compliance status for the control and customer responsibility.
- Control assessments are organized by Microsoft 365 Certification security domains, control families and controls.
The Microsoft 365 Certification features an appropriate control set depending on the application configuration. You need to complete the application configuration to align your report with the appropriate control set before auditing the compliance assessments.
If you don't complete the application configuration for the report, it results in a warning message displayed in the corresponding customer responsibility, guiding you to the application configuration settings.
You can also edit the
application configuration
setting from theSettings
option on the report toolbar.
In addition to following the remediation steps to address compliance failures, you can also fulfill compliance requirements by uploading evidence for your own solution.
To address privacy concerns, you need to configure the evidence repository initially. Create or select the storage account to store evidence for Microsoft 365 Certification controls securely. Once created, the storage account can be used for all reports.
If you don't configure the evidence repository, clicking on
Actions
for any customer responsibility and encountering a warning message in the Upload Evidence section will guide you to the corresponding report settings.You could also edit the
evidence repository
setting from theSettings
option on the report toolbar.
After configuring the evidence repository, if you wish to fulfill manual control requirements or meet control criteria with your own solution, you can upload evidence to the respective customer responsibility. After uploading evidence to a customer responsibility, its compliance status will change to 'App compliance review required' automatically.
Select
Actions
on customer responsibility.Expand the
Upload evidence
area.Browse and upload your local evidence files.
Submit evidence files to store them to evidence repository.
For automated evidence collection customer responsibilities, if ACAT identifies supported resources in the resource list of your ACAT report, you don’t need to prepare evidence manually. Instead, ACAT can summarize the compliance data into an ACAT evidence file and upload it to your evidence repository.
- Select an automated evidence collection customer responsibility.
- Select
Actions
on customer responsibility. - Expand the
Remediation steps
area and review supported resource types that can be collected as evidence. - Expand the
Upload evidence
area, and select theCollect evidence by ACAT
button. After evidence collection, the ACAT-collected evidence will appear in the file list below. - Review the ACAT-collected evidence and upload more evidence if necessary.
Note
For different customer responsblities, ACAT can collect evidence for different types of resources. However, if ACAT does not identify any supported resources in your report, you will need to manually prepare and upload the compliance evidence to ACAT. For more detailed instructions, please refer to the Remediation Steps
section for each customer responsibility action.
Caution
Due to privacy consideration, ACAT cannot automatically refresh the collected evidence. Should there be any changes to the target resource after evidence has been collected, it is necessary to review the affected customer responsibilities and click the Collect evidence by ACAT button again to update the evidence gathered by ACAT.
On the report toolbar, clicking on How to submit certifcation request with ACAT
guides you through the entire journey from ACAT to Microsoft 365 Certification.
In general, before using the compliance report with Microsoft 365 Certification, you need to configure the offer GUID
to associate it with your marketplace offers. There are two options:
- During the creation process of the compliance report, configure the offer GUID in
Microsoft 365 Certification
tab. - If the compliance report is already created, go to
Settings
of this compliance report to configure the offer GUID.
Once the offer GUID is configured, go to the Microsoft Partner Center to initiate Microsoft 365 Certification.
- In
Initial Documentation
select Yes to confirm you're using ACAT. - Select the most up to date active compliance report for the audit.
The Microsoft 365 Certification submits the compliance assessments and your uploaded evidence to the certification auditors automatically, saving you time, and effort.
Note
You could only use active compliance report for Microsoft 365 Certification review. So, when selecting a compliance report in Partner Center
during Microsoft 365 Certification process, if the expected report is not in the list, please check the run-time status of the report.
Note
If you already uploaded evidence to the customer responsiblities, when you move to Control Requirements
phase of Microsoft 365 Certification, ACAT will deliver the uploaded evidence to analyst for review automatically.
Overview provides a high level status for your compliance reports. Learn more about run-time status of compliance report.
- Active Regulatory Compliance Reports: This overview gives you the compliance status for each Active report.
Besides Azure, you could also connect other environments with ACAT, for example, connecting AWS for application built on both Azure and AWS, connecting GitHub to enable ACAT to help you collecting evidence automatically, etc. ACAT leads you to Microsoft Defender for Cloud to complete the connection.
- Go to
Environment settings
on the left to browse all existing connections. - Select
Add environment
and then chooseAmazon Web Services
to create a connector with AWS. You could also learn more details from Connect AWS accounts to Microsoft Defender for Cloud. - Once this connector is ready, You could select AWS resources when creating the compliance report.