What is Publisher Attestation?
Publisher Attestation is a way for app developers to show customers how their app handles security, data, and compliance. It is a self-assessment where the app developer answers questions about the app’s security attributes and data-handling practices. Microsoft publishes this information for customers to evaluate the app before enabling it for their organization.
Program Benefits
Publisher Attestation has many benefits for app developers, such as:
- Increased trust and transparency for customers.
- Time savings and accelerated review process.
- Prerequisite for completing Microsoft 365 Certification.
- Specialized badging and filters to stand out in Microsoft 365 storefronts and admin centers.
- Most attestations can be completed in one hour or less. (Depending on app framework)
Important
Microsoft does not validate the information provided. The developer is solely responsible for the information provided during Publisher Attestation.
Publisher Attestation scope
The attestation process centers on an extensive questionnaire detailing an app's security, data handling, and compliance attributes. The information provided covers the entire app functionality that is exposed when the app is activated in the Microsoft 365 platform and includes the following:
- Data Handling: How an app collects and stores organizational data, and what control an organization has over that data.
- Security: The protocols, processes, and procedures that an app has to protect data and detect and repel cyber-attacks.
- Compliance: The app's adherence to required industry standards and specifications.
- Legal: The app's adherence to applicable legislative statues and regulations.
Confirmation criteria
The attestation will reflect an app's security, data handling, and compliance practices against more than 80 risk factors identified by Microsoft Defender for Cloud Apps. If the initial attestation documentation submission fails basic consistency testing criteria the attestation will not be approved. Following approval, if misinformation in the documentation submission or an app failure is reported or discovered, the attestation confirmation status will be rescinded. In either instance, the developer will receive pertinent and detailed information to aid in the correction process.
Eligibility
Publisher Attestation is available for Microsoft 365 add-ins and apps that integrate with the following applications:
- Word
- Excel
- Outlook
- PowerPoint
- OneNote
- Project
- Teams
- SharePoint
- Web apps - SaaS
Note
Web Apps (SaaS apps published through commercial marketplace in Partner Center). SaaS apps are currently in a private preview, if you are interested in participating please fill out this form.
Begin Publisher Attestation
Fill out the Publisher Attestation questionaire in Partner Center. Please refer to our How-to guide for more information.
Await review feedback and results — During the consistency-check review, if analysts find blocking issues such as inadequate response data, the app developer will be contacted for further information. Analysts will maintain an app activity log detailing review findings and follow-up submissions. Once it has been determined that the attestation report is complete and the responses are acceptable, the submission will be approved. The attestation will be valid for one year from the time of submission.
Note
If, within the interim approval status period, there are updates or modifications to the app or a notification is received of reported attestation submission misinformation the developer must revise and resubmit the documentation.
View the online portal — Once attestation has been approved, the app will be listed in the online repository and will include the following:
- A submission timestamp.
- Links to a detailed copy of the submitted information.
- A declaration that the information provided is based on the submitted attestation report.
For example, See Microsoft Teams App Security and Compliance
Review and re-submission — Publisher Attestation will need to be resubmitted on an annual basis. When an apps attestation nears the one year mark a notification will be sent through Partner Center encouraging a resubmission of the expiring attestation.
If Publisher Attestation isn't renewed before the expiration date, the apps attestation status will be revoked and the attestation will be removed from the Microsoft Docs pages.
Note
By participating in the Publisher Attestation program, you are agreeing to these supplemental terms and to comply with any accompanying documentation that applies to your participation in the Publisher Attestation program with Microsoft Corporation ("Microsoft", "we", "us", or "our"). You represent and warrant to us that you have the authority to accept these Publisher Attestation supplemental terms on behalf of yourself, a company, and/or other entity, as applicable. We may change, amend or terminate these supplemental terms at any time. Your continued participation in the Publisher Attestation program after any change or amendment means you agree to the new supplemental terms. If you do not agree to the new supplemental terms or if we terminate these terms, you must stop participating in the Publisher Attestation program.