Thursday, October 28, 2021

How the Microsoft 365 App Compliance program helps enable a secure Teams app ecosystem

It is no secret that applications are essential to empowering business continuity and productivity, within Teams and across the organization’s app ecosystem. The importance of productivity and collaboration tooling has become especially top of mind with the shift in hybrid work and having a scaled remote workforce. With tens of millions of applications available, IT and security operations teams need to be able to efficiently minimize the risk associated with such a large app ecosystem available.

The importance of a secure and compliant app ecosystem

When IT admins are asked about how many cloud apps they think their employees are using, the reality is often much higher than IT estimates. It is not uncommon for end users to utilize any tooling available to complete their task or job, regardless of whether it is an officially sanctioned or regulated app. This leads to something called “Shadow IT” which is commonly defined as the use of applications, devices, software, and services without explicit IT department approval. The adoption of shadow apps and services can lead to security breaches, data leakage, or being out of compliance with data governance regulations.

Shadow IT has continued to grow exponentially with the availability of numerous cloud-based applications and services. For IT and SecOps teams, this means the risks associated with shadow services has also continued to grow across their organization. Microsoft supports IT and SecOps teams to discover, identify, and manage shadow IT across the organization to help minimize the impact they can have on the organization. Cloud and app discovery policies are great tools for identifying concerning apps or services, but ideally IT wants to minimize the adoption of shadow apps that may pose security and compliance risks for the organization. The Microsoft 365 App Compliance program is designed to help give IT and end users more confidence in the apps that are powering the organization.

Overview of the Microsoft 365 App Compliance Program

The Microsoft 365 App Compliance Program is a two-tiered approach to app security and compliance curated for developers. The program is best summarized by its mission statement: help Microsoft customers have complete trust in the applications that run in their organizations. Microsoft works with our Microsoft 365 developers to provide the app information organizations need make informed decisions about the apps and add-ins they use. That information is supplemented with information from the Microsoft Cloud App Security app catalog to help organizations better assess and manage risk in using these apps. Each tier of the program builds upon the next to maximize confidence IT and SecOps teams have in their Microsoft 365 ecosystem.

Publisher verification helps admins and end users understand the authenticity of app developers integrating with Microsoft’s identity platform. An app marked as publisher verified means the publisher has verified their identity using a Microsoft Partner Network (MPN) account and associated their MPN account with the app registration. A publisher verified app also means the app has met specific identity conditions, such as OAuth 2.0.


The Microsoft 365 Certification has two phases: Attestation and Certification
Attestation is where app developers share app information related to data handling, security, and compliance. By surfacing this information in a consistent format and in a centralized location, it enables IT to make informed decisions on whether the app meets organizational requirements without having to contact the publisher directly.

Certification confirms that an app solution is compatible with Microsoft technologies, compliant with cloud app security best practices, and is supported by Microsoft. App developers work with a third-party assessor to validate security and compliance standards. The result is a Microsoft 365 Certified App!

Example of Microsoft 365 Certification badge in Microsoft docsExample of Microsoft 365 Certification badge in Microsoft docs

Example of Microsoft 365 certification badge in AppSourceExample of Microsoft 365 certification badge in AppSource


The program is designed to provide assurance to organizations and IT admins that when data interacts with a certified application, that application has undergone a security and privacy review. Microsoft 365 Certification requires a thorough assessment of an app and its underlying infrastructure against a series of security controls, involving validating a variety of things such as updated antimalware signatures, proper data encryption at rest and in-transit, and many more. In the Certification tier of the program, we verify the evidence and documentation provided, and attest to its completeness and accuracy prior to awarding a certification. This helps provide IT admins the capability to identify trust-worthy apps through information about the app’s security, privacy, and data handling practices

  • Customer reviews and compliance information in AppSource
  • Consent screens and Certification status of an app


How the Microsoft 365 App Compliance Program helps IT admins

For IT, there remains a consistent effort to help ensure end users are using applications that have been reviewed and approved according to internal standards surrounding app security, authentication, or data handling. The Microsoft 365 App Compliance program is helping app developers and publishers align to controls deriving from leading industry standard frameworks.

The program can serve as a golden thread to help connect app management and discovery together. The scope of the program extends across Microsoft 365: Outlook, Office Add-ins, SharePoint Add-ins, OneNote, Project, and of course…Teams! The Microsoft 365 Certification also applies to WebApps and all apps that integrate with Teams, Word, Excel, PowerPoint, Outlook, SharePoint, Project, and OneNote. As the program continues to expand, we’ve also recently included SaaS apps and add-ins for centralization across the app ecosystem.

By publicly outlining what it means for an app to be publisher verified and Microsoft 365 Certified, the Microsoft 365 App Compliance program helps IT and SecOps teams assess apps more efficiently. Organizations can also leverage the program to form internal app guidelines or standards. To make it easier to find and identify certified apps, AppSource and the Office Store now have filters available to find both Microsoft Certified and Publisher Attested apps. Within Microsoft Teams, end users can find the certification badge when viewing an application.

Example of a certified app in Microsoft TeamsExample of a certified app in Microsoft Teams

Example of filters in AppSourceExample of filters in AppSource

Example of filters in AppSourceExample of filters in AppSource


Next steps

Managing an app ecosystem can be challenging, but is an important part of organizational security and compliance. The Microsoft 365 App Compliance program is working to provide organizations a more efficient way to assess the applications that help power their organizations. To learn more about the Microsoft 365 App Compliance program, please visit overview of the Microsoft 365 App Compliance Program. We also highly encourage you to check out the video below!

Posted at