Complete Microsoft 365 Certification

Introduction

The Microsft 365 Certification requires an assessment of your security and compliance protocols, procedures, and processes. This assessment is comprised of a series of security controls spanning four domains: Application Security, Operational Security / Secure Deployment, Data Handling Security and Privacy, and Optional External Compliance Frameworks described in Microsoft 365 Certification Submission Guide.

If you are able to demonstrate that you meet the controls in each domain, you will be awarded the certification. We will accept evidence of valid external compliance framework conformance to satisfy a subset of the controls.

Pursuing a certification is an impactful way of showing enterprise organizations your commitment to upholding stringent security practices, and the first step toward building a trusted ecosystem of apps ready for enterprise consumption.

Note

Participation in the attestation and certification program is optional and does not prevent your app from being published and distributed on the Microsoft AppSource platform.

Certification Process

Before you begin your certification process you will need to have completed the Publisher Attestation. Once your publisher attestation has been approved, you will receive an introductory email inviting you to join Microsoft 365 Certification.

Preparation

  1. Review your completed Publisher Attestation documentation. If necessary, you can edit and update your responses; however, if you do so, you will need to resubmit your attestation documentation for approval. If your submission is older than three months, we will require that you resubmit Publisher Attestation for review and validation.
  2. Carefully read through the Microsoft 365 Certification Submission Guide to understand what will be required of you. Ensure that you will be able to fulfill the controls specified in the Microsoft 365 Certification Submission Guide.
  3. Submit your Initial Document Submission including all materials outlined in the Initial Document Submission section of the Microsoft 365 Certification Submission Guide. This will help us determine what is in-scope for your assessment based on how your app is built.

Assessment

  1. Microsoft will respond with a request for evidence, outlining which controls will be in-scope for your assessment. You will have 60 days from this point to submit all required evidence.
  2. Submit all evidence to Microsoft within the 60-day period.
  3. Expect an email from a Microsoft contact with clarifying questions, or supplemental evidence requests to assist in completing your assessment.

Certification

  1. Once your submission has been validated by an analyst you will be notified of your certification decision. Apps awarded a certification will receive a badge on their application within AppSource, and Microsoft docs pages. You can read about the full benefits of certification here.

Review and Re-certification

In the event that your application undergoes Significant changes at any point you will be required to notify us.

You will also be required to go through recertification on an annual basis. This will require the revalidation of the in-scope controls against your current environment. This process can begin up to 90 days before the expiration of your certification. Your existing certification will not expire during the re-certification period. Re-certification across all programs expires on the one-year anniversary of your Microsoft 365 Certification.

Learn more