App Compliance Automation Tool for Microsoft 365
In this article, you learn what the App Compliance Automation Tool for Microsoft 365 (ACAT) is, and how it simplifies compliance and obtaining the Microsoft 365 Certification.
Note
ACAT is currently in public preview and only supports apps built on Azure. In the future, it will also support applications built on other clouds or mix of different clouds.
Note
If you would like to provide feedback to ACAT public preview, please complete this form. The ACAT product team will follow up with you as soon as possible once we get your messages.
What is App Compliance Automation Tool for Microsoft 365
App Compliance Automation Tool for Microsoft 365 (ACAT) is a service in Azure portal that helps simplify the compliance journey for any app that consumes Microsoft 365 customer data and is published via Partner Center. It's an application-centric compliance automation tool that helps you complete Microsoft 365 Certification with greater ease and convenience. In Public Preview, ACAT is available to apps running on Azure.
With this tool, you'll quickly be able to define the compliance boundary for your applications, monitor the compliance results automatically, and complete the compliance audit more easily. The compliance boundary is the cloud infrastructure that supports delivery of the app and any backend systems that the app may be communicating with.
In addition to providing a faster track towards Microsoft 365 Certification, ACAT can help you in various compliance scenarios for Microsoft 365 applications:
- Detailed view and remediation steps for Microsoft 365 Certification responsibilities.
- Automatic daily reports to help you get compliance results continuously.
- Security and compliance best practices that can be used as guidance in the early phase of your application lifecycle.
Benefits of ACAT
Application-centric compliance journey.
- ACAT reports compliance assessments for the cloud environment of your applications, which you can integrate with your current cloud infrastructure compliance strategy.
- Developers can invoke ACAT even during the app development phase.
Accelerates the process of getting Microsoft 365 certified.
- ACAT fully automates certain Microsoft 365 Certification controls.
- There's a continuously growing automation list that is actively being developed by Microsoft.
Native integration with Microsoft 365 Certification workflow.
- ACAT is fully integrated with Partner Center for Microsoft 365 Certification purpose.
Keep your application or environment compliant continuously.
- ACAT ensures daily updates of compliance assessments, tailoring them to your specified trigger time setting.
- ACAT empowers you to seamlessly integrate compliance assessments into GitHub Actions or other CI/CD pipelines, ensuring continuous monitoring.
Concepts of ACAT
Regulatory Compliance Report
In ACAT, you can audit the application's compliance status by creating a compliance report for it. You can define the compliance boundary for your application by specifying the Azure resources that build the application. Create multiple reports for one application, based on different development environments and stages.
Once the report is created, ACAT starts to gather the compliance data on your predefined trigger time, and then generate the compliance results as a report for you. Meanwhile, ACAT keeps monitoring the compliance changes for your compliance report continuously, until you choose to delete the report.
Microsoft 365 Certification control
ACAT expediting the Microsoft 365 Certification by automating the compliance controls. Based on the automation status, there are three types of compliance controls defined in ACAT.
- Fully automated control: The Microsoft certification control is fully automated by ACAT.
- Partial automated manual control: ACAT could automate partial responsibilities of the Microsoft 365 Certification control. You need to follow the instructions provided by ACAT to complete the remaining responsibilities.
- Fully manual control: You need to follow the instructions provided by ACAT to complete all responsibilities.
In long term, ACAT improves the automation coverage of Microsoft 365 Certification controls continuously.
Customer responsibility
There's a set of customer responsibilities associated with each control that need to be satisfied. They're responsibilities retained by you in the following areas: data, endpoints, account, access management, etc.
ACAT collects data for each customer responsibility and returns an assessment result for it. It also provides you with a remediation action, which is our guidance that helps you align with Microsoft 365 Certification standards.
Understand the compliance status of the Microsoft 365 certification controls
In the Regulatory Compliance Report, ACAT defines customer responsibilities for each fully automated control and partial automated manual control. There are two compliance statuses for the customer responsibility.
- Passed: The cloud resources applicable for this customer responsibility are healthy.
- Failed: There is at least one cloud resource unhealthy. You could follow the remediation steps to resolve the unhealthy resources.
- N/A: No cloud resources are applicable to customer responsibility, or this customer responsibility is deemed inapplicable based on the application configuration for this report.
- App compliance review required: You manually gather evidence and upload it to this customer responsibility. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
The compliance statuses of Microsoft 365 Certification controls rely on the compliance statuses of customer responsibilities.
- Passed: No customer responsibility is in the 'Failed' or 'App compliance review required' status for this Microsoft 365 Certification control.
- Failed: At least one customer responsibility has failed in relation to this Microsoft 365 Certification control.
- N/A: All customer responsibilities for this Microsoft 365 Certification control are in the 'N/A' status.
- App compliance review required: At least one customer responsibility is in 'App compliance review required' status. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
FAQ
What are manual controls and partially automated controls?
Each compliance control is linked to a specific set of customer responsibilities, with ACAT collecting compliance data accordingly. It's important to note that, now, ACAT doesn't cover all controls for Microsoft 365 Certification (although efforts are underway to expand coverage). In the case of partially automated controls, ACAT automates specific aspects of customer responsibilities. The assessment outcomes from a partially automated control contribute to the Microsoft 365 Certification audit, and further actions are needed on your part to fulfill any remaining requirements. However, for manual controls, ACAT currently doesn't automate any customer responsibilities.
How can I know whether the control is fully automated?
ACAT continuously enhances control automation. Here's the current status of control automation.
| Security Domain | Control Family | Control Number | ACAT Automation Status |
|---|---|---|---|
| Operational Security | Awareness Training | Control 1 | Manual |
| Operational Security | Malware Protection - Anti-Virus | Control 2 | Fully Automated |
| Operational Security | Malware Protection - Application Control | Control 3 | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 4 | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 5 | Manual |
| Operational Security | Vulnerability Scanning | Control 6 | Fully Automated |
| Operational Security | Vulnerability Scanning | Control 7 | Fully Automated |
| Operational Security | Network Security Controls (NSC) | Control 8 | Partial Automated |
| Operational Security | Network Security Controls (NSC) | Control 9 | Partial Automated |
| Operational Security | Change Control | Control 10 | Manual |
| Operational Security | Change Control | Control 11 | Manual |
| Operational Security | Secure Software Development/Deployment | Control 12 | Manual |
| Operational Security | Secure Software Development/Deployment | Control 13 | Manual |
| Operational Security | Account Management | Control 14 | Partial Automated |
| Operational Security | Account Management | Control 15 | Manual |
| Operational Security | Account Management | Control 16 | Manual |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 17 | Partial Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 18 | Fully Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 19 | Manual |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 20 | Manual |
| Operational Security | Information Security Risk Management | Control 21 | Manual |
| Operational Security | Information Security Risk Management | Control 22 | Manual |
| Operational Security | Information Security Risk Management | Control 23 | Manual |
| Operational Security | Information Security Risk Management | Control 24 | Manual |
| Operational Security | Security Incident Response | Control 25 | Manual |
| Operational Security | Security Incident Response | Control 26 | Manual |
| Operational Security | Security Incident Response | Control 27 | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 28 | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 29 | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 30 | Manual |
| Data Handling Security & Privacy | Data in Transit | Control 1 | Fully Automated |
| Data Handling Security & Privacy | Data in Transit | Control 2 | Manual |
| Data Handling Security & Privacy | Data At Rest | Control 3 | Fully Automated |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 4 | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 5 | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 6 | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 7 | Manual |
| Data Handling Security & Privacy | Data Access Management | Control 8 | Manual |
| Data Handling Security & Privacy | Data Access Management | Control 9 | Manual |
| Data Handling Security & Privacy | Privacy | Control 10 | Manual |
| Data Handling Security & Privacy | Privacy | Control 11 | Manual |
| Data Handling Security & Privacy | GDPR | Control 12 | Manual |
| Data Handling Security & Privacy | GDPR | Control 13 | Manual |
| Data Handling Security & Privacy | HIPAA | Control 14 | Manual |
| Data Handling Security & Privacy | HIPAA | Control 15 | Manual |
I made the suggested changes base on the remediation suggestion, yet the control is still failing
After taking corrective action to address the failure, please allow ACAT time to retrieve updated assessment results for control status. Assessments are conducted every 24 hours, according to your predetermined trigger time.
How is the compliance report used in the certification process?
ACAT is seamlessly integrated with Partner Center to complete your Microsoft 365 Certification journey. Learn more about how to use compliance report to accelerate Microsoft 365 Certification