What is Publisher Attestation?
Publisher Attestation is a way for app developers to show customers how their app handles security, data, and compliance. It is a self-assessment where the app developer answers questions about the app’s security attributes and data-handling practices. Microsoft publishes this information for customers to evaluate the app before enabling it for their organization.
Program Benefits
Publisher Attestation has many benefits for app developers, such as:
- Increased trust and transparency for customers.
- Time savings and accelerated review process.
- Prerequisite for completing Microsoft 365 Certification.
- Specialized badging and filters to stand out in Microsoft 365 storefronts and admin centers.
- Most attestations can be completed in one hour or less. (Depending on app framework)
Important
Microsoft does not independently verify the information submitted. The developer bears full responsibility for the accuracy and completeness of all data provided.
Publisher Attestation scope
The attestation process centers on an extensive questionnaire detailing an app's security, data handling, and compliance attributes. The information provided covers the entire app functionality that is exposed when the app is activated in the Microsoft 365 platform and includes the following:
- Data Handling: How an app collects and stores organizational data, and what control an organization has over that data.
- Security: The protocols, processes, and procedures that an app has to protect data and detect and repel cyber-attacks.
- Compliance: The app's adherence to required industry standards and specifications.
- Legal: The app's adherence to applicable legislative statues and regulations.
Confirmation criteria
The attestation process evaluates an app's security, data handling, and compliance against more than 80 risk factors identified by Microsoft Defender for Cloud Apps.
- If the initial submission does not meet the required consistency and validation checks, attestation will not be approved
- If incorrect or misleading information is found after approval, or if the app experiences a security failure, its attestation status mau be revoked
- In such cases, developers will receive detailed feedback to help resolve and correct any issues
Eligibility
Publisher Attestation is available for Microsoft 365 add-ins and apps that integrate with the following applications:
- Word
- Excel
- Outlook
- PowerPoint
- OneNote
- Project
- Teams
- SharePoint
- Web apps - SaaS
Begin Publisher Attestation
- Complete the attestation questionnaire
- Fill out the Publisher Attestation questionnaire in Partner Center.
- Refer to the how-to guide for detailed instructions.
- Await review feedback and results
- During the consistency-check review, Microsoft analysts will evaluate your submission.
- If issues are found (e.g., missing or unclear data), developers will be contacted for clarification
- Analysts will maintain an activity log that tracks findings and required follow-ups
- Once all responses are deemed complete and acceptable, attestation will be approved
- Approved attestations remain valid for one year from the submission date
Note
If updates or modifications are made to the app during the approval process, or if a notification is received regarding misinformation in the attestation submission, the developer must revise and resubmit the documentation.
- Access the online portal
Once approved, your app will be listed in the Microsoft 365 Online Repository with:
- A submission timestamp
- A declaration of accuracy confirming that the information is based on the submitted attestation report
Example: Microsoft Teams App Security and Compliance
- Annual renewal and re-submission
Publisher Attestation must be renewed every year
As the expiration date approaches, a notification will be sent via Partner Center, reminding developers to resubmit
If attestation is not renewed before expiration, the app's attestation status will be revoked, and its listing will be removed from Microsoft Docs
Note
By participating in the Publisher Attestation program, you are agreeing to these supplemental terms and to comply with any accompanying documentation that applies to your participation in the Publisher Attestation program with Microsoft Corporation ("Microsoft", "we", "us", or "our"). You represent and warrant to us that you have the authority to accept these Publisher Attestation supplemental terms on behalf of yourself, a company, and/or other entity, as applicable. We may change, amend or terminate these supplemental terms at any time. Your continued participation in the Publisher Attestation program after any change or amendment means you agree to the new supplemental terms. If you do not agree to the new supplemental terms or if we terminate these terms, you must stop participating in the Publisher Attestation program.