App Compliance Automation Tool for Microsoft 365
In this article, you learn what the App Compliance Automation Tool for Microsoft 365 (ACAT) is, and how it simplifies compliance and obtaining the Microsoft 365 Certification.
Note
ACAT is currently in public preview and only supports apps built on Microsoft Azure and Amazon Web Services (AWS). Future updates will include functionality for apps built on other clouds.
Note
If you would like to provide feedback to ACAT public preview, please complete this form. The ACAT product team will follow up with you as soon as possible once we get your messages.
What is App Compliance Automation Tool for Microsoft 365
App Compliance Automation Tool for Microsoft 365 (ACAT) is a service in Azure portal that helps simplify the compliance journey for any app that consumes Microsoft 365 customer data and is published via Partner Center. It's an application-centric compliance automation tool that helps you complete Microsoft 365 Certification with greater ease and convenience.
With this tool, you'll quickly be able to define the compliance boundary for your applications, monitor the compliance results automatically, and complete the compliance audit more easily. The compliance boundary is the cloud infrastructure that supports delivery of the app and any backend systems that the app communicating with.
In addition to providing a faster track towards Microsoft 365 Certification, ACAT can help you in various compliance scenarios for Microsoft 365 applications:
- Detailed view and remediation steps for Microsoft 365 Certification responsibilities.
- Automatic daily reports of compliance assessments to keep your applications compliant continuously.
- Security and compliance best practices that can be used as guidance in the early phase of your application lifecycle.
Benefits of ACAT
Application-centric compliance journey.
- ACAT reports compliance assessments for the cloud environment of your applications, which you can integrate with your current cloud infrastructure compliance strategy.
- Developers can invoke ACAT even during the app development phase to identify potential compliance risks in early stage.
Accelerates the process of getting Microsoft 365 certified.
- ACAT fully automates certain Microsoft 365 Certification controls.
- There's a continuously growing automation list that is actively being developed by Microsoft.
Native integration with Microsoft 365 Certification workflow.
- ACAT is fully integrated with Partner Center for Microsoft 365 Certification purpose.
Keep your application or environment compliant continuously.
- ACAT ensures daily updates of compliance assessments, tailoring them to your specified trigger time setting.
- ACAT empowers you to seamlessly integrate compliance assessments into GitHub Actions or other CI/CD pipelines, ensuring continuous monitoring.
Concepts of ACAT
Regulatory Compliance Report
In ACAT, you can audit the application's compliance status by creating a compliance report for it. You can define the compliance boundary for your application by specifying the cloud resources that build the application. Create multiple reports for one application, based on different development environments and stages.
Once the report is created, ACAT starts to gather the compliance data on your predefined trigger time, and then generates the compliance results as a report for you. Meanwhile, ACAT keeps monitoring the compliance changes for your compliance report continuously, until you choose to delete the report.
Microsoft 365 Certification control
ACAT expediting the Microsoft 365 Certification by automating the compliance controls. Based on the automation status, there are three types of compliance controls defined in ACAT.
- Fully automated control: The Microsoft certification control is fully automated by ACAT.
- Partial automated manual control: ACAT could automate partial responsibilities of the Microsoft 365 Certification control. You need to follow the instructions provided by ACAT to complete the remaining responsibilities.
- Fully manual control: You need to follow the instructions provided by ACAT to complete all responsibilities.
In long term, ACAT improves the automation coverage of Microsoft 365 Certification controls continuously.
Customer responsibility
There's a set of customer responsibilities associated with each control that need to be satisfied. They're responsibilities retained by you in the following areas: data, endpoints, account, access management, etc.
Manual customer responsibility: You're required to prepare your compliance evidence and upload it to ACAT. ACAT will then transfer your evidence to Partner Center when you submit your ACAT report.
Automated assessment customer responsibility: ACAT can collect data for each responsibility and provide an assessment result. You need to address any unhealthy resources by either remediating them or providing more compliance evidence to justify the current state of the resource.
Automated evidence collection customer responsibility: For reports containing resources supported by ACAT's automated evidence collection feature, ACAT offers streamlined assistance in preparing compliance evidence through a straightforward button-select process. If the report's resource list lacks supported resources, you still retain the option to manually upload your compliance evidence.
Both automated assessment and automated evidence collection customer responsibilities provide you with remediation actions, which are our guidelines to help you align with Microsoft 365 Certification standards.
Note
Automated assessment customer responsibilities are refrshed daily based on the scheduled trigger time. However, automated evidence collection customer responsibilities can only be refreshed on-demand by clicking the 'Automated evidence collection by ACAT' button.
Understand the compliance status of the Microsoft 365 certification controls
In the Regulatory Compliance Report, ACAT defines customer responsibilities for each fully automated control and partial automated manual control. There are two compliance statuses for the customer responsibility.
- Passed: The cloud resources applicable for this customer responsibility are healthy.
- Failed: There is at least one cloud resource unhealthy. You could follow the remediation steps to resolve the unhealthy resources.
- N/A: No cloud resources are applicable to customer responsibility, or this customer responsibility is deemed inapplicable based on the application configuration for this report.
- App compliance review required: You manually gather evidence and upload it to this customer responsibility. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
The compliance statuses of Microsoft 365 Certification controls rely on the compliance statuses of customer responsibilities.
- Passed: No customer responsibility is in the 'Failed' or 'App compliance review required' status for this Microsoft 365 Certification control.
- Failed: At least one customer responsibility failed in relation to this Microsoft 365 Certification control.
- N/A: All customer responsibilities for this Microsoft 365 Certification control are in the 'N/A' status.
- App compliance review required: At least one customer responsibility is in 'App compliance review required' status. An analyst will conduct a thorough review after you submit the Microsoft 365 Certification request in Microsoft Partner Network.
FAQ
What are manual controls and partially automated controls?
Each compliance control is linked to a specific set of customer responsibilities, with ACAT collecting compliance data accordingly. It's important to note that, now, ACAT doesn't cover all controls for Microsoft 365 Certification (although efforts are underway to expand coverage). In the case of partially automated controls, ACAT automates specific aspects of customer responsibilities. The assessment outcomes from a partially automated control contribute to the Microsoft 365 Certification audit, and further actions are needed on your part to fulfill any remaining requirements. However, for manual controls, ACAT currently doesn't automate any customer responsibilities.
How can I know whether the control is fully automated?
ACAT continuously enhances control automation. Here's the current status of control automation.
| Security Domain | Control Family | Control Number | ACAT Automation Status | ACAT Automation Status for AWS |
|---|---|---|---|---|
| Operational Security | Awareness Training | Control 1 | Manual | Manual |
| Operational Security | Malware Protection - Anti-Virus | Control 2 | Fully Automated | Partial Automated |
| Operational Security | Malware Protection - Application Control | Control 3 | Manual | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 4 | Manual | Manual |
| Operational Security | Patch Management - Patching & Risk Ranking | Control 5 | Partial Automated | Partial Automated |
| Operational Security | Vulnerability Scanning | Control 6 | Fully Automated | Partial Automated |
| Operational Security | Vulnerability Scanning | Control 7 | Fully Automated | Fully Automated |
| Operational Security | Network Security Controls (NSC) | Control 8 | Partial Automated | Manual |
| Operational Security | Network Security Controls (NSC) | Control 9 | Partial Automated | Automated Evidence Collection |
| Operational Security | Change Control | Control 10 | Manual | Manual |
| Operational Security | Change Control | Control 11 | Automated Evidence Collection | Automated Evidence Collection |
| Operational Security | Secure Software Development/Deployment | Control 12 | Manual | Manual |
| Operational Security | Secure Software Development/Deployment | Control 13 | Partial Automated | Partial Automated |
| Operational Security | Account Management | Control 14 | Partial Automated | Partial Automated |
| Operational Security | Account Management | Control 15 | Partial Automated | Partial Automated |
| Operational Security | Account Management | Control 16 | Partial Automated | Partial Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 17 | Fully Automated | Partial Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 18 | Fully Automated | Partial Automated |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 19 | Manual | Manual |
| Operational Security | Security Event Logging, Reviewing and Alerting | Control 20 | Fully Automated | Partial Automated |
| Operational Security | Information Security Risk Management | Control 21 | Manual | Manual |
| Operational Security | Information Security Risk Management | Control 22 | Manual | Manual |
| Operational Security | Information Security Risk Management | Control 23 | Manual | Manual |
| Operational Security | Information Security Risk Management | Control 24 | Manual | Manual |
| Operational Security | Security Incident Response | Control 25 | Manual | Manual |
| Operational Security | Security Incident Response | Control 26 | Manual | Manual |
| Operational Security | Security Incident Response | Control 27 | Manual | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 28 | Automated Evidence Collection | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 29 | Automated Evidence Collection | Manual |
| Operational Security | Business Continuity Plan (BCP) and Disaster Recovery Plan | Control 30 | Manual | Manual |
| Data Handling Security & Privacy | Data in Transit | Control 1 | Fully Automated | Fully Automated |
| Data Handling Security & Privacy | Data in Transit | Control 2 | Fully Automated | Fully Automated |
| Data Handling Security & Privacy | Data At Rest | Control 3 | Fully Automated | Fully Automated |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 4 | Manual | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 5 | Manual | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 6 | Automated Evidence Collection | Manual |
| Data Handling Security & Privacy | Data Retention, Back-up and Disposal | Control 7 | Partial Automated | Manual |
| Data Handling Security & Privacy | Data Access Management | Control 8 | Automated Evidence Collection | Manual |
| Data Handling Security & Privacy | Data Access Management | Control 9 | Manual | Manual |
| Data Handling Security & Privacy | Privacy | Control 10 | Manual | Manual |
| Data Handling Security & Privacy | Privacy | Control 11 | Automated Evidence Collection | Manual |
| Data Handling Security & Privacy | GDPR | Control 12 | Automated Evidence Collection | Manual |
| Data Handling Security & Privacy | GDPR | Control 13 | Manual | Manual |
| Data Handling Security & Privacy | HIPAA | Control 14 | Manual | Manual |
| Data Handling Security & Privacy | HIPAA | Control 15 | Manual | Manual |
Note
ACAT Automation Status expresses what automation extent can ACAT help you prepare the compliance evidence for a control.
- Manual: You are required to manually prepare all compliance evidence for each customer responsibility under this control.
- Partial Automated: This control has a mix of customer responsibilities, including automated assessments, automated evidence collection, and manual customer responsibilities. You need to remediate any failed customer responsibilities and leverage the automated evidence collection feature for evidence gathering. For manual responsibilities, ensure to provide the necessary compliance evidence and upload it to the ACAT.
- Fully Automated: All the customer responsibilities under this control are either automated assessment customer responsibilities or automated evidence collection customer responsibilities.
Why is the customer responsibility failed?
There are several potential reasons of failed customer responsibility:
- It's highly recommended to complete the application configuration settings first, as ACAT adjusts default status of certain controls based on your configuration.
- For manual customer responsibility cases, the default status is set to 'failed' as a reminder to follow the sample evidence guide to collect and upload evidence manually.
- For automated evidence collection customer responsibility cases, you could adopt ACAT solution in
Remidiation stepsfor each customer responsibility and then trigger ACAT to collect evidence automatically. Alternatively, you could follow the sample evidence guide to collect and upload evidence manually for your own solution. - For automated assessment customer responsibility cases, you could either follow the ACAT solutions in
Remidiation stepsfor each customer responsibility or follow the sample evidence guide to collect and upload evidence manually for your own solution.
Tip
Resolving all failures in ACAT is not mandatory. You may choose to retain the 'failed' status in ACAT and instead upload your own evidence in Partner Center after initiating a certification review. This will allow you to discuss any issues or questions for specific control with your auditor first.
Why does ACAT display a warning message asking me to confirm changes to the application configuration settings?
The application configuration setting is important because ACAT adjusts default status of certain controls based on your configuration, for example, some controls are changed to 'N/A' status by default.
When you change the application configuration settings, ACAT verifies them against the cloud resources you selected and displays a warning message if your configuration might be incorrect. The certification reviewer also reviews these settings during the Initial Document Submission stage of Microsoft 365 Certification.
I made the suggested changes base on the remediation suggestion, yet the control is still failing
After taking corrective action to address the failure, please allow ACAT time to retrieve updated assessment results for control status. Assessments are conducted every 24 hours, according to your predetermined trigger time.
Is the evidence stored in ACAT?
Before uploading evidence to ACAT manually or allowing ACAT to collect evidence automatically, you're prompted to configure your own storage account as the evidence repository through the Evidence Repository setting. All evidence is stored in your designated storage account. Once you submit the Microsoft 365 Certification review in Partner Center, selecting a specific ACAT report, ACAT helps submitting the ACAT compliance report, automatically collected evidence, and manually uploaded evidence to the certification reviewer automatically.
How is the compliance report used in the certification process?
ACAT is seamlessly integrated with Partner Center to complete your Microsoft 365 Certification journey. Learn more about how to use compliance report to accelerate Microsoft 365 Certification