Publisher Attestation FAQ

The link to a homepage for the company or application.

This is pre-populated data from your app service information. Please update it as needed.

This is pre-populated data from your app service information. Please update it as needed.

This is needed as it relates to data handling practices and regulations for different countries/regions.

App info gives an overview of what the application can do.

The link to a page outlining more information about the application where can the user learn more information about the application? If you don't have this page please mark No.

The hosting environment of the backend services or code repositories will be in scope for the Microsoft 365 Certification. Please identify the hosting type; IaaS = Infrastructure as a Service, PaaS/Serverless = Platform as a Service, ISV hosted = The hosting environment is owned and/or operated by yourself (i.e. your own data centers or co-location in a third-party data center), Hybrid = The environment can be made up of multiple hosting types (i.e. ISV Hosted and PaaS).

Examples include: Microsoft Azure, Amazon AWS, Google... This could also include unique solutions to your company.

If your app processes or stores any Microsoft customer data such as ANY data consumed from Microsoft resource endpoints such as Microsoft Graph or the customer tenant, select yes. If not, select no.

Provide specific types of data that are processed by your app such as User Profile Data, User Mail Data, etc.

Transport Layer Security (TLS) 1.1 or higher are security protocols for establishing encryption channels over computer networks. Using TLS helps prevent both eavesdropping and man-in-the middle attacks. To provide the best-in-class encryption to our customers, does you app support TLS 1.1 or higher?

Does the app or underlying infrastructure store any Microsoft customer data?|If your app processes or stores any Microsoft customer data such as ANY data consumed from Microsoft resource endpoints such as Microsoft Graph or the customer tenant, select yes. If not, select no.

Provide specific types of data that are Stored in your database such as User Profile Data, User Mail Data, Tenant information like tenant id, user communication id, etc.

Specify the region where the Microsoft customer data will be stored. Ex. Germany, Japan.

When customer requests to delete data or unsubscribe, Does your organization follows strict standards for storing data or deleting data?

Menction the time period for storing of customer information after customer had left your service.

Encryption is an essential tool for security because it restricts access, Key Vault enables applications and users to store and use several types of secret/key data. Is all accesss to customer data, encryption keys/secrets are processed and collected, analyzed and managed? This information is needed as it relates to data handling and security practices.

Customer data can be Employee user name or ID, location, information of a person, user specific IP address, etc. If your organization Transfer any Microsoft customer data or customer content to third parties or sub-processors, select yes. If not, select no.

Third-party service could be call centre, BPO, data entry, etc. If you have an agreement to share Microsoft customer data with any of those third-party services, then select yes. If not, select no.

Security

Penetration testing, also called pen testing, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

If your organization have a formal document of a disaster recovery (DR) plan that contains detailed instructions on how to respond to unplanned incidents such as natural disasters, power outages, cyber attacks and any other disruptive events, then select yes. If not, select no.

Anti-malware offers a proactive solution against newer, more innovative viruses that antivirus software isn’t equipped to handle. Application controls are controls over the input, processing, and output functions. Select the appropriate option

This information is needed as it relates to security practices.

Anytime you subscribe to antivirus, firewall, or antispyware protection, you will need to continually update your systems files in order to identify changes, improvements, or new parameters that help your computer detect and get rid of such viruses. These are called security patches. If you have a policy that governs your service level agreement (SLA) for applying patches, then select yes. If not, select no.

PII is any data that can be used to identify a particular person. Ex. Name, email address.

Examples can be found on our Microsoft Docs page, click on an app, click on Data Handling you can see examples of other justificationsin the data access via bots.

Personal Identifiable Information (PII) is any data that can be used to identify a particular person. Ex. Name, email address.

Why does personal identifiable information need to be stored?

OII is any data that can be used to identify an organization/tenant. Ex. Tenant ID or IP address, tenant usage data, tenant domain name in email address (joe@contoso.com).

Organiaztional identifiable information (OII) is any data that can be used to identify an organization/tenant. Ex. Tenant ID or IP address, tenant usage data, tenant domain name in email address (joe@contoso.com).

Why does Organizational identifiable information need to be stored?

|EUII is any data that can be used to identify customer data. Ex. Employee user name or ID, location information of a person, user specific IP address. |

Ex. Google Cloud, AWS

Ex. Encryption, 2FA

Ex. Restricted, Confidential, Interal, Public

Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other—additional—credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.

IP restriction settings are used to limit or give access to which IPs can access specific resources within the service. For apps that support IP restriction, an organization administrator can limit which IP addresses any user in the organization can use to access the system through the user interface or APIs.

Audit trails are the electronic records that chronologically catalog events or procedures to provide support, documentation, and history, that is used to authenticate security and operational actions, or mitigate challenges. User audit trail will include information about user activities such as login attempts, reaching accessing files, etc.

Admin audit trail will include administrator activities such as granting new permissions, changing configurations, API calls, etc.

Data audit trail will include in activities of changes in databases such as when was an attribute last modified, what was the previous value of the record and who modified it, etc.

Ex. minimum password length, characters combination, disallow reuse of old passwords, disallow use of personal informantion (such as name, email, etc.), enforace password renewal after a certain time period.

Security Assertion Markup Language - SAML - is an open standard for exchanging authentication and authorization data between parties, specifically between an identity provider and a service provider.

Penetration testing, also called pen testing, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.

Compliance

This is required for both US based and non US based companies with apps that relate with healthcare services or provide services to helthcare services.

This is required for apps that relate with healthcare services or provide services to helthcare services.

This is required for both US based and non US based companies with apps that relate to financial services or provide services to financial institutions

Reporting on non-financial processing based on one or more of the Trust service criteria on security, privacy, avaiability, confidentiality and processing integrity.Learn more

Select either Type 1 or Type 2, if you had obtained both then select Type 2

Reporting based on the Trust Service Criteria, that may be distributed freely and only contain management's assertion that they have met the requirements of the chosen criteria? Learn more

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.Learn more

ISO 27001 is a certificate given to companies upholding internationally recognized guidelines and general principles for initiating, implementing, and improving information security management within an organization.Learn more

ISO 27018 establishes commonly accepted controls with guidelines for processing and protecting Personally Identifiable Information (PII) in a public cloud computing environment?Learn more

ISO 27017 establishes commonly accepted controls and guidelines for processing and protecting user information in a public cloud-computing environment.Learn more

ISO 27002 establishes common guidelines for organizational information security standards and information security management practices.Learn more

FedRAMP is a US-government program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.Learn more

FedRAMP authorizations are granted at three impact levels based on NIST guidelines—low, medium, and high. These levels rank the impact that the loss of confidentiality, integrity, or availability could have on an organization—low (limited effect), medium (serious adverse effect), and high (severe or catastrophic effect).

FERPA is a federal law that protects the privacy of student education records.Learn more

This is required for both US based and non US based companies with apps that could be used by children as well.

App info gives an overview of what the application can do.

NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies.Learn more

CSA SSTAR is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud.Learn more

There are five certificaiton levels offered by CSA STAR, Continuous Monitoring, Assessment, Self Assessment, Attestation, Certification. Select the one which you had obtained.

The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located.Learn more

The external-facing privacy notice must contain organizational information, data you collect, how is the data collected, how you use personal data, how personal data is shared, data security, data retention, Customer legal rights, for more information visit GDPR page

While profiling is the process of evaluating aspects about a person, automated decision-making is the process of making decisions about the individual using technological means and without the involvement of a human. GDPR - Rights in relation to automated decision making and profiling.

GDPR - Right to object

GDPR - Data processing

If you process any data relating to racial or ethnic origin, political opinion, religious or philosophical beliefs, genetic or biometric data, health data, then select yes. If not, select no.

The GDPR sets a general age of consent at 16, which means you can't legally process the data of a data subject 15 years-old or younger.

In cases where you work with the data of children under 16, you can only process the data with permission from their parent or guardian. Any processing without the consent of an adult with parental responsibility is illegal under EU law.

GDPR - The right to erasure

GDPR - The right to restrict processing

GDPR - The right to rectification

This information is needed as it relates to privacy and security practices.

Learn More about the Microsoft Identity Platform.Learn more

The unique identifier for the application that is assigned to an application by Azure AD.Learn more

Enter the Azure Application appID.Learn more

Enter the ID of the tenant which is displayed below Azure Application appId on the App registrations console.

Enter the ID of the tenant which is displayed below Azure Application appId on the App registrations console.

This information is needed as it relates to Identity practices.

Azure AD assigns a unique application, or client ID to your app. The portal opens your application's Overview page. To add capabilities to your application, you can select other configuration options including branding, certificates and secrets, API permissions, and more.

Here is the list of acceptable permissions. Microsoft Graph permissions reference

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests and the app can act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented by non-administrative users, but some higher-privileged permissions require administrator consent. Application permissions are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator. Learn More.

Why did you choose that perticular Graph Permission?

Least privilege permissions are the minimum set of permissions your app needs to request in order to deliver it's intended functionality for customers. For apps calling Microsoft Graph, Graph Explorer and API reference documentation can help you determine the least privilege permissions for your scenario.Learn more

Learn More about the Microsoft identity platform integration checklist on our docs page

The Microsoft Authentication Library (MSAL) enables developers to acquire tokens from the Microsoft identity platform in order to authenticate users and access secured web APIs.Learn more

The Microsoft Authentication Library (MSAL) enables developers to acquire tokens from the Microsoft identity platform in order to authenticate users and access secured web APIs.Learn more

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.Learn more

Mention all the types of Conditional Access policies you support. Ex. Block acces by location, Block legacy authentication. Examples can be found on our docs page

(CAE) is a capability to improve resilience and decrease COGS for services/workloads that rely on Azure AD authentication.Learn more

If your app store any credentials in code select yes. If not, select no.

If your app or add-in use additional Microsoft APIs select yes. If not, select no.

Ex. MSAL