Publisher Attestation overview
Publisher Attestation is the next tier in the Microsoft 365 App Compliance Program. The app developer is asked to complete a self-assessment that includes questions frequently asked by customers or IT admins when they are evaluating the security and compliance of an app. Microsoft then publishes this information for easier and more timely evaluation.
Important
Microsoft does not validate all of the information provided. The app developer is solely responsible for the information they provide in the publisher attestation.
Publisher Attestation applies to Web Apps (SaaS apps published through commercial marketplace in Partner Center). SaaS apps are currently in a private preview, if you are interested in participating please fill out this form. Attestation also includes all apps that integrate with the following Microsoft products:
- Teams
- Word
- Excel
- PowerPoint
- Outlook
- SharePoint
- Project
- OneNote
Benefits for IT admins
The benefits of completing the Publisher Attestation for IT admins includes:
- Added confidence in the security and compliance measures of applications enabled in the organization
- Reduced time to review an app's security and compliance posture
Benefits for App Developers
The benefits of completing the Publisher Attestation for developers includes:
- Time savings. View the app's Microsoft Docs page for information to commonly asked questions
- Accelerating an enterprise organization's security and compliance internal review timeline
- Increased transparency
- Microsoft provides this service at no additional cost
- Differentiation from other apps in the store
- Link to your docs page from your entry in AppSource, Teams Admin center, and Microsoft Admin Center
- Qualification to start the Microsoft 365 Certification
Publisher Attestation scope
The attestation process centers on an extensive questionnaire detailing an app's security, data handling, and compliance attributes. The information provided covers the entire app functionality that is exposed when the app is activated in an organization's Microsoft 365 platform and includes the following:
- Data Handling: How an app collects and stores organizational data, and what control an organization has over that data
- Security: The protocols, processes, and procedures that an app has to protect data and detect and repel cyber-attacks
- Compliance: The app's adherence to required industry standards and specifications
- Legal: The app's adherence to applicable legislative statues and regulations
Confirmation criteria
The attestation will reflect an app's security, data handling, and compliance practices against more than 80 risk factors identified by Microsoft Cloud App Security. If the initial attestation documentation submission fails basic consistency testing criteria the attestation will not be approved. Following approval, if misinformation in the documentation submission or an app failure is reported or discovered, the attestation confirmation status will be rescinded. In either instance, the developer will receive pertinent and detailed information to aid in the correction process.
Confirmation time frame
The attestation is valid for one year from the time of submission. However, if an app is updated or modified during the interim period, the developer is required to revise and resubmit the attestation
Reviewing an app's Publisher Attestation
The developer can review detailed information of the results of an app's Publisher Attestation on the Microsoft Docs page created for their app. All apps that have completed either Publisher Attestation or Microsoft 365 Certification will be listed, and each listing will clearly show what level in the compliance program has been achieved.
See the MIPA listing for an example of an app that has completed the Publisher Attestation.