As an admin of Microsoft 365 you have the incredible - and sometimes overwhelming - responsibility to keep your organization’s data safe. At the same time, you have business demands, and at times these two factors can be at odds. This is particularly true when it comes to authorizing third-party applications that your business is interested in using. Apps for services like Microsoft Teams can increase your organization’s productivity, but how do you know you can trust them? Are they who they say they are and what are they doing with your data? Microsoft is taking actions to empower you to manage apps in relation to your organization’s risk tolerance.
Microsoft has developed a multi-layer security story to meet your organization's needs.
At Build Microsoft introduced a Publisher Verification program that allows developers to add a verified organizational identity to their apps. This helps admins and end users understand the authenticity of applications requesting access to your organizational data. You can be confident that if an application says it is developed by Contoso Inc., it has been developed by Contoso Inc. The value of this capability extends far beyond the verified badge. Publisher Verification provides a critical input for Application Consent Controls, which are now available in public preview. Admins can now choose to allow users to consent to certain apps, based on policies that can be set up proactively. The criteria can include things like publisher verification status or the permissions being requested, and the policies can be applied to different sets of users.
Example of the updated branding page for an app registration with a verified publisher
Last year, Microsoft introduced Publisher Attestation where developers share general, data handling, and security and compliance information pertaining to their app ecosystems. This reduces the need for IT Admins to work directly with app publishers. All the information you would need to make an informed decision can be found for all apps that have completed the self-attestation in one place and in a consistent format. The goal is to make it easier for you to use this data to ensure third-party applications meet your rigorous security and compliance standards.
Example of link in AppSource for publisher attested apps
Microsoft 365 Certification
Building upon the Publisher Attestation program, Microsoft has created a developer Microsoft 365 Certification (currently only offered for Teams apps), where Microsoft employs a third-party assessor to validate the security and compliance standards. Rest assured that Microsoft has done the work to ensure applications and developers that receive the Microsoft 365 Certification operate in ways that promote safe usage and storage of your data.
Example of Microsoft 365 certification badge in AppSource
As security becomes an increasingly important vector in enabling and using third-party applications, we will continue to build upon these programs. We’ll review partner submissions annually to confirm the validity of the data submitted.
If you have questions about any of these programs, please reach out to firstname.lastname@example.org.