What is Microsoft 365 Certification?
The Microsoft 365 Certification is a certification designed to show customers that an app has been vetted against controls derived from leading industry standard frameworks, and that strong security and compliance practices are in place to protect customer data. The Microsoft 365 Certification has two phases: Attestation and Certification.
The attestation phase centers on an extensive questionnaire detailing an app's security, data handling, and compliance attributes. The information provided by ISVs cover the entire app functionality that is exposed when the app is activated in an organization's Microsoft 365 platform and includes the following:
- Data Handling: How an app collects and stores organizational data, and what control an organization has over that data
- Security: The protocols, processes, and procedures that an app has to protect data and detect and repel cyber-attacks
- Compliance: The app's adherence to required industry standards and specifications
- Privacy: The app's adherence to pertinent, applicable privacy practices
- Identity: the app's adherence to identity management and access control practices
The certification phase is centered around a thorough security audit of the app and it's supporting infrastructure. The app will be vetted against a series of security controls derived from leading industry standard frameworks such as SOC 2, PCI DSS, and ISO 27001. If you have already received a SOC 2, PCI DSS, or ISO 27001 certification for your app we encourage you to share those reports. They are not required, but can be used to satisfy a subset of the controls without additional evidence. If you do not have external certifications then we do require that you provide us with clear evidence (documents, screenshots, etc.) that demonstrates you meet all the required controls. Apps that are awarded a certification have demonstrated that strong security and compliance practices are in place to protect customer data.
Microsoft is currently covering the entire cost of the certification audit provided the ISV can submit all the required evidence.
App certification is achieved through a qualified analyst's review and approval of a comprehensive assessment centering on an app's security and compliance frameworks, processes, and procedures.
Apps that have been certified have been assessed across the following three domains:
Although participation is optional, when an app gets certified it’s signaling that it has undergone an intensive security review and can be trusted with customer data. For complete details on the rigorous process ISVs must go through to become certified. See Microsoft 365 Certification Submission Guide.
Microsoft 365 Certification Scope
Microsoft 365 Certification applies to all apps that integrate with the following Microsoft products:
- Webapps (SaaS apps published through commercial marketplace in Partner Center are currently in a private preview, if you are interested in participating please fill out this form.
Participation and completion of Microsoft 365 Certification can provide immense benefits for IT admins and developers:
App Developer Benefits
- FREE assessment - There is no monetary cost to ISV to achieve a Microsoft 365 Certification
- Increased exposure - the Microsoft 365 Certification badge printed on your apps listing in in Marketplaces (AppSource, Teams, Office), Admin portals (Teams, M365), and Microsoft Docs
- Time savings - Reduced time spent alleviating customers security concerns during RFP process
- Marketing materials - Free marketing kit to promote your status as a Microsoft 365 certified app
- Promotion campaigns - The opportunity to be highlighted at Microsoft events such as Build and Ignite
IT Admin Benefits
- Time savings - View the app's Microsoft Docs page and reduce time and resources spent investigating security and compliance of an app
- Increased confidence - Certified apps have taken steps to protect your data
- Trusted signal - The Microsoft 365 Certification badge offers an easy way to distinguish apps that are trustworthy
Using the Microsoft 365 Badge and associated marketing materials
The Microsoft 365 Certification logo demonstrates that an app has been reviewed for conformance to controls put forth by Microsoft which meticulously evaluate data security and privacy practices. You may use the Microsoft 365 Certification logo at the express written consent of Microsoft upon completion of the Microsoft 365 Certification. If your certification is revoked, or the recertification process is not started within one year from the day the certification was awarded, you must discontinue use of all Microsoft 365 Certification related marketing materials.
This logo can be used on websites, press releases, and other forums where it pertains specifically to the application which has completed the Microsoft 365 Certification process. The logo must be presented in a reasonable size and location within the digital content.
The following statement must accompany the logo: “Apps with the Microsoft 365 Certification logo represents that this app has achieved Microsoft 365 Certification. In addition to app security, this program reviews the practices and procedures the app publisher employs. While customer data is under control of the app publisher, you can rest assured that Microsoft has validated that the app will handle it in a safe and secure manner.”