Share via


Keep Microsoft 365 Application Compliant Continuously with App Compliance Automation Tool for Microsoft 365

The Microsoft 365 App Compliance Automation Tool (ACAT) streamlines the essential controls for the Microsoft 365 Certification. Keep continuous compliance for your Microsoft 365 application using ACAT. Stay updated on compliance failures through notifications and seamlessly integrate ACAT into your Continuous Integration/Continuous Deployment pipeline.

Note

ACAT is currently in public preview and only supports applications built on Azure. Future updates will include functionality for apps built on non-Microsoft hosted cloud services. For any feedback on ACAT public preview, please complete this form. An ACAT product team specialist will follow up with you as soon as possible.

Get the latest control assessment of your compliance report via notifications

After you create a compliance report for your Microsoft 365 application or environment, ACAT automatically collects compliance data and conducts daily control assessments. Additionally, you can receive notifications for any changes in report settings or assessments.

Get notifications with webhook

Create a webhook to receive notifications from ACAT.

  • Go to Reports on the left.

  • Open the report that you would like to receive notifications for.

  • Select Notifications from the toolbar.

  • Select Create notification and then choose Webhook

    • Webhook name: This is the unique identifier of the webhook within this report.
    • Payload URL: The payload URL is the URL of the server that receives webhook POST requests from ACAT.
    • Content type: ACAT currently only supports the application/json content type, which delivers the JSON payload directly as the body of the POST request.
    • Secret: Setting a webhook secret allows you to ensure that POST requests sent to the payload URL are from ACAT. When the secret is set, ACAT uses it to create a hash signature with each payload. This hash signature is included with the headers of each request as x-acat-signature-256.
    • SSL verification: SSL verification would only display when your payload URL is a secure site (HTTPS), and it helps ensure that payloads are delivered to your payload URL securely. We recommend keeping Enable SSL verification selected.
    • Trigger events: Subscribe to ACAT events to get notifications.

    Create webhook notification

    Tip

    Learn more about webhook payload.

Get quick compliance evaluation in Continuous Integration/Continuous Deployment pipeline

In addition to regular portal usage and receiving up-to-date notifications, ACAT can perform a quick compliance evaluation within your Continuous Integration/Continuous Deployment (CI/CD) pipeline. Ensuring the continuous compliance of your Microsoft 365 application.

In ACAT, control assessments are structured compliance assessments categorized according to Microsoft 365 Certification security domains, control families, and individual controls. To initiate a control assessments within ACAT raw compliance data must be gathered. However, some of this raw compliance information may not be readily accessible from a technical perspective. To address this challenge, ACAT introduces a concept known as 'quick compliance evaluation.' This feature is designed to provide a rapid assessment of compliance status, allowing for the immediate collection of essential raw compliance data.

The implementation of quick compliance evaluation serves two purposes:

  • Timely Insights: facilitates real-time understanding of your compliance posture, giving visability into an application's adherence to security standards and best practices.
  • Seamless Integration: Quick compliance evaluation can seamlessly integrate into your CI/CD pipeline, ensuring your applications remain robust and aligned with compliance requirements.

Integration with CI/CD pipeline by GitHub Actions

Quick compliance evaluations are available in the CI/CD pipeline using the Microsoft 365 certification quick evaluation GitHub Action. There are two posible uses for this GitHub Action:

  • Leverage the latest deployment in the CI/CD pipeline as the definitive state for the application: ACAT conducts quick compliance evaluations based on the most recent deployment within the pipeline. Additionally, you have the option to request ACAT to refresh a corresponding compliance reports based on this deployment, granting you comprehensive control assessments with daily updates.
  • Rely on an existing compliance report as reference for the application.** ACAT utilizes the resources defined in an existing compliance report to perform the quick compliance evaluation.

Integration with CI/CD pipeline through ACAT REST API

Get quick compliance evaluations in CI/CD pipeline through ACAT REST API.

  • Connect to Azure resources with Service Principal Authentication. Follow this guide to learn how to create a service principal that can access resources. Once the service principal is created, follow the guidance from your pipeline tool to store the credentials. For example, connect to Microsoft Azure with an ARM service connection.

  • Get the list of resources that you would like to use for the quick compliance evaluation.

    $resourceGroupName
    $deploymentName
    
    $resourceIds = @()
    Get-AzResourceGroupDeploymentOperation `
        -ResourceGroupName $resourceGroupName `
        -Name $deploymentName `
    | ForEach-Object {
        if (![String]::IsNullOrEmpty($_.TargetResource)) {
            $resourceIds += $_.TargetResource
        }
    }
    
    • To acquire resources based on cloud resource management policy (for example, resources with specific tags, resources in particular resource groups, etc.), Review the Azure PowerShell - Get-AzResource.
    # Get resources with same tag
    $key = "<key-of-your-tag>"
    $value = "<value-of-your-tag>"
    
    $resourceIds = (Get-AzResource -TagName $key -TagValue $value).ResourceId
    
    try {
        $token = "<your-Azure-credentials>"
        $reportName = "<report-name>"
        $apiVersion = "2023-02-15-preview"
    
        $header = @{}
        $header["Authorization"] = $token
        $header["x-ms-aad-user-token"] = $token
        $header["accept"] = "application/json"
    
        $uri = "https://management.azure.com/providers/Microsoft.AppComplianceAutomation/reports/" + $reportName + "?api-version=" + $apiVersion
        $response = Invoke-WebRequest $uri `
            -Method GET `
            -Headers $header `
            -ContentType "application/json" `
            -Verbose `
            -UseBasicParsing
    
        $resourceIds = @()
        if ($response.StatusCode -ne 200) {
            Write-Host "Failed to get resources from compliance report: $response"
            return 
        }
    
        $resources = $response.Content | ConvertFrom-Json
        $resourceIds = $resources.properties.resources.resourceId
    }
    catch {
        Write-Output "Failed to get resources from compliance report with exception: $_"
    }
    
  • Use the triggerEvaluation API to get a quick compliance evaluation for the given resources.

try {
    $token = "<your-Azure-credentials>"
    $resourceIds = "<resource-ids-from-previous-step>"
    $apiVersion = "2023-02-15-preview"

    $header = @{}
    $header["Authorization"] = $token
    $header["x-ms-aad-user-token"] = $token
    $header["accept"] = "application/json"

    $body = @{resourceIds = $resourceIds }

    $uri = "https://management.azure.com/providers/Microsoft.AppComplianceAutomation/triggerEvaluation?api-version=$apiVersion"
    $response = Invoke-WebRequest $uri `
        -Method POST `
        -Headers $header `
        -ContentType "application/json" `
        -Body (ConvertTo-Json $body -Depth 8) `
        -Verbose `
        -UseBasicParsing
    
    # The triggerEvaluation API is asynchronous. Therefore, you need to pull the status to check whether it is completed. 
    # StatusCode 200: OK. The response indicates the quick compliance evaluation for given resource ids is completed.
    # StatusCode 202: Accepted. The response indicates the quick compliance evaluation for given resource ids is triggered and performing in backend. 
    if ($response.StatusCode -eq 200) {
        $result = $response.Content | ConvertFrom-Json
        Write-Host "Successfully get evaluation result:$result"
        return $result
    }
    elseif ($response.StatusCode -eq 202) {
        $retry_url = $response.Headers["Location"]

        do {
            Start-Sleep 10
            Write-Host "retry_url: $retry_url"
            $opResponse = Invoke-WebRequest `
                -Uri $retry_url `
                -ContentType "application/json" `
                -Verbose `
                -Method GET `
                -Headers $header `
                -UseBasicParsing

            if ($opResponse.StatusCode -eq 200) {
                $opResult = $opResponse.Content | ConvertFrom-Json
                Write-Host "Successfully get evaluation result: $opResult"
                return $opResult
            }
            elseif ($opResponse.StatusCode -eq 202) {
                continue
            }
            else {
                Write-Host "Failed to get evaluation result"
                break
            }
        } while ($true)
    }
    else {
        Write-Host "Failed to get compliance evaluation with triggerEvaluation API: $response"
    }
}
catch {
    Write-Output "Failed to get quick compliance assessment with exception: $_"
}
  • Get the quick compliance evaluation from the result of triggerEvaluation API.

Reference

Webhook payloads

For the ACAT webhook payloads for each event, they contain some common properties.

Key

Required?

Type

Description

EventDesc

Yes

String

Specific event that triggers the notification.

Message

Yes

String

The content of the notification. It usually contains the report name as the unique identifier and the timestamp when this event happens.

Details

No

String

This is JSON format content that contains the details of this notification. Taking the control assessments failure as an example, the details include all failed customer responsibilities for each control and affected resources.

ACAT REST API triggerEvaluation

API Name: triggerEvaluation

  • Service: App Compliance Automation
  • API Version: 2023-02-15-preview

Get quick compliance evaluation for given resources.

POST https://management.azure.com/providers/Microsoft.AppComplianceAutomation/triggerEvaluation?api-version=2023-02-15-preview
URI Parameters

Name

In

Required

Type

Description

api-version

query

True

string

The API version to use for this operation. You can use "2023-02-15-preview"

Request Header

Name

In

Required

Type

Description

Authorization

head

True

string

Bearer + " " + Access Token

x-ms-aad-user-token

head

True

string

Bearer + " " + Access Token

Content-Type

head

True

string

value: "application/json"

Request Body

Name

Required

Type

Description

resourceIds

True

string array

List of resource IDs to be evaluated

Responses Header

Name

Type

Description

200 OK

The response indicates the quick compliance evaluation for given resource IDs is completed.

202 Accepted

The response indicates the quick compliance evaluation for given resource ids is triggered and performing in backend.

Other Status Codes

ErrorResponse

Error response.

TriggerEvaluationResponse

Name

Type

Description

triggerTime

string

The time when the evaluation is triggered.

evaluationEndTime

string

The time when the evaluation is end.

resourceIds

string[]

List of resource IDs to be evaluated

quickAssessments

List of quick assessments

QuickAssessment

Name

Type

Description

resourceId

string

Resource ID

responsibilityId

string

Responsibility ID

timestamp

string

The timestamp of resource creation (UTC).

resourceStatus

ResourceStatus

Quick assessment status.

displayName

string

Quick assessment display name.

description

string

Description of quick assessments.

remediationLink

string

Link to remediation steps for this quick assessment.