Know about app compliance program for security, data handling, and privacy

Microsoft 365 app compliance program checks and audits an app against controls that are derived from leading industry-standard frameworks. The program demonstrates that strong security and compliance practices are in place to protect customer data. The program has the following phases:

Publisher verification

Before an app developer can submit their app to Microsoft, the developer is required to undergo a verification. A developer verifies their identity using their Microsoft Partner Network (MPN) account and associates this MPN account with their app registration. Publisher verification helps admins and users understand the authenticity of application developers. Publisher verification provides the following benefits:

  • Increased transparency and risk reduction for customers - this capability helps customers understand which apps being used in their organizations are published by developers they trust.
  • Improved branding - a verified badge appears on the Microsoft Entra consent prompt, Enterprise Apps page, and other user interfaces used by users and admins.
  • Smoother enterprise adoption - admins can configure user consent policies, with publisher verification status as a primary policy criteria.

Publisher attestation

Publisher attestation is the next tier in the app compliance program. Publisher attested apps provide confidence to admins about security and compliance measures of an app. It also helps reduce the time to review this information for an app. The attestation will reflect an app's security, data handling, and compliance practices against more than 80 risk factors identified by Microsoft Defender for Cloud Apps. Publisher attestation process can start before Publisher verification is complete.

App developers are asked to complete a self-assessment that includes questions frequently asked by customers and IT admins to evaluate the security and compliance of an app. Microsoft then publishes this information for easier and more timely evaluation. To know more, see Attestation guide.

Admins can quickly check for Published attested apps in three different ways.

  • When gathering more information about an app, see the details of a specific app at its link at Microsoft Teams apps security and compliance. Alternately, select the Publisher attestation link in Teams admin center.

    In Teams admin center, select the Publisher attestation link to view details of the attestation of an app.

  • In Teams admin center, when checking the details of an app from the Manage App page, see the publisher attested icon on the banner in the app's detail page.

    In Teams admin center, Publisher attested icon is displayed on all attested apps.

  • In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.

    In Teams admin center, on the dialog to grant permissions, the blue checkmark indicates publisher attested app.

The attestation details page for an attested or certified app lists the following details.

Detailed information provided for attested apps.

Microsoft 365 certification

App certification is achieved through:

  • A qualified analyst's review.
  • Approval of a comprehensive assessment centering on an app's security and compliance frameworks, processes, and procedures.

We check the app against a series of security controls derived from leading industry-standard frameworks.

The certificate demonstrates the strong security and compliance practices that are in place to protect customer data when the app is used in an organization. More information about how admins and users benefit from the certification is available at Overview of Microsoft 365 app compliance program.

Administrators can quickly check for Microsoft 365 certified apps in the following ways.

  • When gathering more information about an app on the web, see the shield icon in Microsoft documentation about the app.

    View the Microsoft 365 certification information in the detailed help article about security and compliance of an app

  • When checking an application in Teams admin center, sort the list of apps using the Certification column. See the icon and optionally, select the link to access the app-specific page mentioned above.

    View Microsoft 365 certification status of an app in the Teams admin center.

  • When viewing the details of an app, see the Microsoft 365 certified icon in the app banner.

    View Microsoft 365 certification information in the app banner when managing a specific app in Teams admin center

  • In Teams admin center, before you grant consent to app permissions, a blue checkmark in front of the app name indicates it's a publisher attested app. All Microsoft 365 apps also go through publisher attestation, so a blue checkmark displays for Microsoft 365 apps as well.

    In Teams admin center, on the dialog to grant permissions, admins can check the blue checkmark to be assured that the app is Microsoft 365 certified

View security, compliance, and privacy information

You can find information about security, privacy, compliance and behaviors for an attested or certified app in Microsoft documentation and Teams admin center.

Microsoft documentation

You can find the details about security, privacy, compliance, and more for each app listed it the app-specific help articles linked from Microsoft Teams apps security and compliance.

Detailed information that is provided for apps that undergo Microsoft compliance program.

Teams admin center

When evaluating an app, you can use independent Cloud Access Security Brokers (CASB), such as Microsoft Defender for Cloud Apps, to find information about security and behaviors of an app. The Teams admin center includes security and compliance information from Defender for Cloud Apps for Microsoft 365 Certified apps. Check this information in the app details page, to verify if the app meets your security needs.

Note

This feature is available to all admins, whether or not your organization has a license that supports Defender for Cloud Apps.

To access Defender for Cloud Apps information for an app:

  1. Sign in to the Teams admin center and access Teams apps > Manage apps.

  2. Select Certification to sort apps and push all Microsoft 365 Certified apps to the top of the table.

  3. Choose a Microsoft 365 Certified app.

  4. Select the Security and compliance tab.

    Screenshot of Teams admin center security and compliance tab.

    To get more details on the supported capabilities for the app, select the dropdown list for each category.

View privacy policy and terms of use of an app

In Teams admin center, each app page links to the privacy statement and terms of use of the app.

From Teams admin center, admins can access the link to the privacy policy and terms of use for every app.