App Compliance Automation Tool for Microsoft 365
In this article, you learn what the App Compliance Automation Tool for Microsoft 365 (ACAT) is, and how it simplifies compliance and obtaining the Microsoft 365 Certification.
Note
ACAT is currently in public preview and only supports apps built on Azure. In the future, it will also support applications built on other clouds or mix of different clouds.
Note
If you would like to provide feedback to ACAT public preview, please complete this form. The ACAT product team will follow up with you as soon as possible once we get your messages.
What is App Compliance Automation Tool for Microsoft 365
App Compliance Automation Tool for Microsoft 365 (ACAT) is a service in Azure portal that helps simplify the compliance journey for any app that consumes Microsoft 365 customer data and is published via Partner Center. It's an application-centric compliance automation tool that helps you complete Microsoft 365 Certification with greater ease and convenience. In Public Preview, ACAT is available to apps running on Azure.
With this tool, you'll quickly be able to define the compliance boundary for your applications, monitor the compliance results automatically, and complete the compliance audit more easily. The compliance boundary is the cloud infrastructure that supports delivery of the app and any backend systems that the app may be communicating with.
In addition to providing a faster track towards Microsoft 365 Certification, ACAT can help you in various compliance scenarios for Microsoft 365 applications:
- Detailed view and remediation steps for Microsoft 365 Certification responsibilities.
- Automatic daily reports to help you get compliance results continuously.
- Security and compliance best practices that can be used as guidance in the early phase of your application lifecycle.
Benefits of ACAT
Application-centric compliance journey.
- ACAT reports compliance assessments for the cloud environment of your applications, which you can integrate with your current cloud infrastructure compliance strategy.
- Developers can invoke ACAT even during the app development phase.
Accelerates the process of getting Microsoft 365 certified.
- ACAT fully automates certain Microsoft 365 Certification controls.
- There's a continuously growing automation list that is actively being developed by Microsoft.
Native integration with Microsoft 365 Certification workflow.
- ACAT is fully integrated with Partner Center for Microsoft 365 Certification purpose.
Keep your application or environment compliant continuously.
- ACAT ensures daily updates of compliance assessments, tailoring them to your specified trigger time setting.
- ACAT empowers you to seamlessly integrate compliance assessments into GitHub Actions or other CI/CD pipelines, ensuring continuous monitoring.
Concepts of ACAT
Regulatory Compliance Report
In ACAT, you can audit the application's compliance status by creating a compliance report for it. You can define the compliance boundary for your application by specifying the Azure resources that build the application. Create multiple reports for one application, based on different development environments and stages.
Once the report is created, ACAT starts to gather the compliance data on your predefined trigger time, and then generate the compliance results as a report for you. Meanwhile, ACAT keeps monitoring the compliance changes for your compliance report continuously, until you choose to delete the report.
Microsoft 365 Certification control
ACAT expediting the Microsoft 365 Certification by automating the compliance controls. Based on the automation status, there are three types of compliance controls defined in ACAT.
- Fully automated control: The Microsoft certification control is fully automated by ACAT.
- Partial automated manual control: ACAT could automate partial responsibilities of the Microsoft 365 Certification control. You need to follow the instructions provided by ACAT to complete the remaining responsibilities.
- Fully manual control: You need to follow the instructions provided by ACAT to complete all responsibilities.
In long term, ACAT improves the automation coverage of Microsoft 365 Certification controls continuously.
Customer responsibility
There's a set of customer responsibilities associated with each control that need to be satisfied. They're responsibilities retained by you in the following areas: data, endpoints, account, access management, etc.
Manual customer responsibility: You are required to prepare your compliance evidence and upload it to ACAT. ACAT will then transfer your evidence to Partner Center when you submit your ACAT report.
Automated assessment customer responsibility: ACAT can collect data for each responsibility and provide an assessment result. You need to address any unhealthy resources by either remediating them or providing additional compliance evidence to justify the current state of the resource.
Automated evidence collection customer responsibility: For reports containing resources supported by ACAT's automated evidence collection feature, ACAT offers streamlined assistance in preparing compliance evidence through a straightforward button-click process. If the report's resource list lacks supported resources, you still retain the option to manually upload your compliance evidence.
Both automated assessment and automated evidence collection customer responsibilities provide you with remediation actions, which are our guidelines to help you align with Microsoft 365 Certification standards.
Note
Automated assessment customer responsibilities are refrshed daily based on the scheduled trigger time. However, automated evidence collection customer responsibilities can only be refreshed on-demand by clicking the 'Automated evidence collection by ACAT' button.
Understand the compliance status of the Microsoft 365 certification controls
In the Regulatory Compliance Report, ACAT defines customer responsibilities for each fully automated control and partial automated manual control. There are two compliance statuses for the customer responsibility.
- Passed: The cloud resources applicable for this customer responsibility are healthy.
- Failed: There is at least one cloud resource unhealthy. You could follow the remediation steps to resolve the unhealthy resources.
- N/A: No cloud resources are applicable to customer responsibility, or this customer responsibility is deemed inapplicable based on the application configuration for this report.
- App compliance review required: You manually gather evidence and upload it to this customer responsibility. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
The compliance statuses of Microsoft 365 Certification controls rely on the compliance statuses of customer responsibilities.
- Passed: No customer responsibility is in the 'Failed' or 'App compliance review required' status for this Microsoft 365 Certification control.
- Failed: At least one customer responsibility has failed in relation to this Microsoft 365 Certification control.
- N/A: All customer responsibilities for this Microsoft 365 Certification control are in the 'N/A' status.
- App compliance review required: At least one customer responsibility is in 'App compliance review required' status. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
FAQ
What are manual controls and partially automated controls?
Each compliance control is linked to a specific set of customer responsibilities, with ACAT collecting compliance data accordingly. It's important to note that, now, ACAT doesn't cover all controls for Microsoft 365 Certification (although efforts are underway to expand coverage). In the case of partially automated controls, ACAT automates specific aspects of customer responsibilities. The assessment outcomes from a partially automated control contribute to the Microsoft 365 Certification audit, and further actions are needed on your part to fulfill any remaining requirements. However, for manual controls, ACAT currently doesn't automate any customer responsibilities.
How can I know whether the control is fully automated?
ACAT continuously enhances control automation. Here's the current status of control automation.
| Security Domain | Control Family | Control Number | ACAT Automation Status |
|---|---|---|---|
| Operational Security | Awareness Training | Control 1 | Manual |
| Operational Security | Malware Protection - Anti-Virus | Control 2 | Fully Automated |
| Operational Security | Malware Protection - Application Control | Control 3 | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 4 | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 5 | Partial Automated |
| Operational Security | Vulnerability Scanning | Control 6 | Fully Automated |
| Operational Security | Vulnerability Scanning | Control 7 | Fully Automated |
| Operational Security | Network Security Controls (NSC) | Control 8 | Partial Automated |
| Operational Security | Network Security Controls (NSC) | Control 9 | Partial Automated |
| Operational Security | Change Control | Control 10 | Manual |
| Operational Security | Change Control | Control 11 | Manual |
| Operational Security | Secure Software Development/Deployment | Control 12 | Manual |
| Operational Security | Secure Software Development/Deployment | Control 13 | Partial Automated |
| Operational Security | Account Management | Control 14 | Partial Automated |
| Operational Security | Account Management | Control 15 | Partial Automated |
| Operational Security | Account Management | Control 16 | Partial Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 17 | Fully Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 18 | Fully Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 19 | Manual |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 20 | Fully Automated |
| Operational Security | Information Security Risk Management | Control 21 | Manual |
| Operational Security | Information Security Risk Management | Control 22 | Manual |
| Operational Security | Information Security Risk Management | Control 23 | Manual |
| Operational Security | Information Security Risk Management | Control 24 | Manual |
| Operational Security | Security Incident Response | Control 25 | Manual |
| Operational Security | Security Incident Response | Control 26 | Manual |
| Operational Security | Security Incident Response | Control 27 | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 28 | Partial Automated |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 29 | Partial Automated |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 30 | Manual |
| Data Handling Security & Privacy | Data in Transit | Control 1 | Fully Automated |
| Data Handling Security & Privacy | Data in Transit | Control 2 | Fully Automated* |
| Data Handling Security & Privacy | Data At Rest | Control 3 | Fully Automated |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 4 | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 5 | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 6 | Partial Automated |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 7 | Partial Automated |
| Data Handling Security & Privacy | Data Access Management | Control 8 | Partial Automated |
| Data Handling Security & Privacy | Data Access Management | Control 9 | Manual |
| Data Handling Security & Privacy | Privacy | Control 10 | Manual |
| Data Handling Security & Privacy | Privacy | Control 11 | Partial Automated |
| Data Handling Security & Privacy | GDPR | Control 12 | Partial Automated |
| Data Handling Security & Privacy | GDPR | Control 13 | Manual |
| Data Handling Security & Privacy | HIPAA | Control 14 | Manual |
| Data Handling Security & Privacy | HIPAA | Control 15 | Manual |
Note
ACAT Automation Status expresses what automation extent can ACAT help you prepare the compliance evidence for a control.
- Manual: You are required to manually prepare all compliance evidence for each customer responsibility under this control.
- Partial Automated: This control has a mix of customer responsibilities, including automated assessments, automated evidence collection, and manual customer responsibilities. You need to remediate any failed customer responsibilities and leverage the automated evidence collection feature for evidence gathering. For manual responsibilities, ensure to provide the necessary compliance evidence and upload it to the ACAT.
- Fully Automated: All the customer responsibilities under this control are either automated assessment customer responsibilities or automated evidence collection customer responsibilities.
I made the suggested changes base on the remediation suggestion, yet the control is still failing
After taking corrective action to address the failure, please allow ACAT time to retrieve updated assessment results for control status. Assessments are conducted every 24 hours, according to your predetermined trigger time.
How is the compliance report used in the certification process?
ACAT is seamlessly integrated with Partner Center to complete your Microsoft 365 Certification journey. Learn more about how to use compliance report to accelerate Microsoft 365 Certification