Dela via


Automate Microsoft 365 Certification with ACAT

The App Compliance Automation Tool (ACAT) can be used to meet a specific set of required controls for Microsoft 365 Certification. This article outlines how to use ACAT to expedite the Microsoft 365 Certification.

Note

ACAT is currently in public preview and only supports apps built on Microsoft Azure and Amazon Web Services (AWS). Future updates will include functionality for apps built on other clouds.

Note

If you would like to provide feedback to ACAT public preview, please complete this form. The ACAT product team will follow up with you as soon as possible once we get your messages.

Create your first compliance report to onboard ACAT

ACAT gives added visibility into the compliance of an application via custom reporting. Users can create reports based on the cloud infrastructure or a specific environment of an app, for example, production, staging, etc.

  • Search and launch App Compliance Automation Tool for Microsoft 365 in Azure portal.
  • Select Reports on the left hand side of the screen.

Create compliance report

  • Select Create new report to create your first compliance report.

    • Basics
      • Report name: The compliance report must have a unique and nonduplicative name within the tenant, consisting of a combination of numbers, letters, and underscores. It's advisable to include the specific app name or environment name in the report's name.
      • Trigger time: ACAT performs daily updates of compliance assessments for the report, providing the flexibility to set a specific time for refreshing assessments in a designated timezone.
      • Resources: Define the compliance boundary for your report by selecting resources from your cloud infrastructure. Utilize the filters to search proper resources, for example, subscription, resource group, tags, and more for Azure, account ID and type for AWS.

    Tip

    You need to create new connection with AWS or reuse existing connection with AWS before selecting AWS resources for report.

    Basic configuration

    • Microsoft 365 Certification
      • Offer GUID: The offer GUID serves as a unique identifier for marketplace offer in Microsoft Partner Center, and it's the key to connect the compliance report with marketplace offers. After connecting compliance report with marketplace offers, you could use the compliance report to expedite the Microsoft 365 Certification process for your marketplace offers in Partner Center. Select on Learn more to obtain how to get your app's offer GUID. This step is optional during the initial report creation and can be configured when you commence publishing your app.

    Microsoft 365 Certification configuration

Note

After confirming the configuration and creating the compliance report, ACAT will also complete these actions automatically to collect compliance-related data:

  • Enable the Microsoft Defender for Cloud (free tier) and Automation service (free) for your subscription.
  • Enable custom policies for your subscription.

Note

Kindly allow 24 hours for ACAT to generate the initial compliance assessments for your report based on your specified preferences.

Audit the compliance assessments with your compliance report

Review the run-time status of the compliance reports and conduct audits on compliance assessments.

  • Go to Reports on the left for a summary of existing compliance reports.

    • Run-time status shows the status of the most recent updates for compliance assessments:
      • Active: The compliance assessments for this report have been successfully updated.
      • Failed: ACAT encountered a failure in updating the compliance assessments during the most recent refresh. Failures may stem from incorrect subscription configurations or a system issue with ACAT. Refer to the self-recovery guidance provided to address and resolve the issue.
      • Disabled: The compliance report had been disabled (paused) manually by the user. This feature isn't currently enabled in public preview.
    • Created At: The Created At show when the compliance report is created.
    • Last trigger time and Next trigger time: ACAT updates compliance assessments for reports daily. The Last trigger time signifies when the last update was initiated, while the Next trigger time indicates the scheduled time for the next report update.
    • Microsoft 365 Certification: Review the compliance status of controls specific to Microsoft 365 Certification.

    Compliance report list

In addition to accessing high-level summaries of existing compliance reports, you can delve into the details of each compliance assessment. Select on the report name to retrieve specific assessment details for a more thorough audit.

Compliance report toolbar

ACAT provides a toolbar that allows you to perform the following actions:

  • Settings: Modify the configuration of the compliance report.

    • Edit basic information: Edit the basic configuration of the report.
    • Edit resources: Add or remove resources based on the current cloud infrastructure.
    • Edit application configuration: Edit the application configuration to align your report with the appropriate control set. ACAT may adjust default status of certain controls based on your configuration, for example, some controls may be changed to 'N/A' status by default.
    • Edit Microsoft 365 Certification configuration: Configure offer GUIDs to associate the report with marketplace offers in Microsoft Partner Center.
    • Config evidence repository: Configure the evidence repository to store uploaded evidence.

    Report settings

  • Download report: Download assessments of the compliance report that can be shared with partners for collaboration.

    • Assessment report for Microsoft 365 Certification review (Analyst Edition): This PDF report organizes the compliance assessments by Microsoft 365 Certification controls. If you choose the ACAT compliance report during the Initial Document phase of App Compliance in Partner Center, it's automatically delivered to the analyst for review. Additionally, you have the option to download and manually upload it as evidence if needed.
    • Assessment report for engineer collaboration: This PDF report organizes the compliance assessments with internal information based on Microsoft Certification controls. It's utilized for internal team collaboration during compliance audits.
    • Assessment report for engineer collaboration: This Excel report contains resource level information and corresponding compliance assessments for internal team collaboration during compliance audits.
    • Cloud infrastructure inventory: This Excel report contains the resource details of this compliance report, providing a comprehensive description of the cloud inventory associated with your application.

    Download reports

  • Notifications: Get notifications of the compliance report settings change or control assessments status change. Learn more about how to receive notifications via webhook.

  • Integration with CI/CD pipeline: ACAT empowers you to maintain continuous and automated compliance for your application by seamlessly integrating with CI/CD pipelines. Learn more about how to integrate with GitHub Actions pipeline and how to integrate with other pipelines with REST APIs.

  • How to submit certification request with ACAT: Perform a rapid validation to ensure if this report is certification-ready and receive guidance on how to utilize it for certification in Partner Center.

    Guidance of submit certification with ACAT

  • View Architecture Diagram (preview): ACAT generates the architecture diagram for your reference based on Azure Resource Graph data.

ACAT empowers you to delve into more details about the report and compliance assessments.

  • Essentials indicates the status and the settings of the compliance report.

    Compliance report essentials

  • Control assessments - Microsoft 365 Certification view

    • Control assessments are organized by Microsoft 365 Certification security domains, control families and controls.
      • You can review the compliance status by customer responsibility at the individual control level.
      • Within the customer responsibility section, choose 'Actions' to access the compliance status of associated resources and discover remediation steps for any failed resources.
      • Use search and filters to find specific controls based on your needs.
        • Search the controls by control name or customer responsibility name.
        • Use Control family to filter by security domain or control family.
        • Use Control status to filter for current compliance failures.
        • Use Customer responsibility type to filter by ACAT automated CR type.
        • Use Cloud environment to filter out the customer responsibility for specific cloud environment.
    • Learn more about compliance status for the control and customer responsibility.

    Compliance report assessments

Ensure a robust control set is the focal point of your compliance report

The Microsoft 365 Certification features an appropriate control set depending on the application configuration. You need to complete the application configuration to align your report with the appropriate control set before auditing the compliance assessments.

Address control requirements by submitting evidence for your compliance solution

In addition to following the remediation steps to address compliance failures, you can also fulfill compliance requirements by uploading evidence for your own solution.

To address privacy concerns, you need to configure the evidence repository initially. Create or select the storage account to store evidence for Microsoft 365 Certification controls securely. Once created, the storage account can be used for all reports.

After configuring the evidence repository, if you wish to fulfill manual control requirements or meet control criteria with your own solution, you can upload evidence to the respective customer responsibility. After uploading evidence to a customer responsibility, its compliance status will change to 'App compliance review required' automatically.

  • Select Actions on customer responsibility.

  • Expand the Upload evidence area.

  • Browse and upload your local evidence files.

  • Submit evidence files to store them to evidence repository.

    Upload evidence

For automated evidence collection customer responsibilities, if ACAT identifies supported resources in the resource list of your ACAT report, you don’t need to prepare evidence manually. Instead, ACAT can summarize the compliance data into an ACAT evidence file and upload it to your evidence repository.

  • Select an automated evidence collection customer responsibility.
  • Select Actions on customer responsibility.
  • Expand the Remediation steps area and review supported resource types that can be collected as evidence.
  • Expand the Upload evidence area, and select the Collect evidence by ACAT button. After evidence collection, the ACAT-collected evidence will appear in the file list below.
  • Review the ACAT-collected evidence and upload more evidence if necessary.

Auto collect evidence

Note

For different customer responsblities, ACAT can collect evidence for different types of resources. However, if ACAT does not identify any supported resources in your report, you will need to manually prepare and upload the compliance evidence to ACAT. For more detailed instructions, please refer to the Remediation Steps section for each customer responsibility action.

Caution

Due to privacy consideration, ACAT cannot automatically refresh the collected evidence. Should there be any changes to the target resource after evidence has been collected, it is necessary to review the affected customer responsibilities and click the Collect evidence by ACAT button again to update the evidence gathered by ACAT.

Use your first compliance report with Microsoft 365 Certification audit

On the report toolbar, clicking on How to submit certifcation request with ACAT guides you through the entire journey from ACAT to Microsoft 365 Certification.

Submit certification with ACAT

In general, before using the compliance report with Microsoft 365 Certification, you need to configure the offer GUID to associate it with your marketplace offers. There are two options:

  • During the creation process of the compliance report, configure the offer GUID in Microsoft 365 Certification tab.
  • If the compliance report is already created, go to Settings of this compliance report to configure the offer GUID.

Once the offer GUID is configured, go to the Microsoft Partner Center to initiate Microsoft 365 Certification.

  • In Initial Documentation select Yes to confirm you're using ACAT.
  • Select the most up to date active compliance report for the audit.

The Microsoft 365 Certification submits the compliance assessments and your uploaded evidence to the certification auditors automatically, saving you time, and effort.

Note

You could only use active compliance report for Microsoft 365 Certification review. So, when selecting a compliance report in Partner Center during Microsoft 365 Certification process, if the expected report is not in the list, please check the run-time status of the report.

Note

If you already uploaded evidence to the customer responsiblities, when you move to Control Requirements phase of Microsoft 365 Certification, ACAT will deliver the uploaded evidence to analyst for review automatically.

Get a high level overview of your compliance reports

Overview provides a high level status for your compliance reports. Learn more about run-time status of compliance report.

Overview of run-time status

  • Active Regulatory Compliance Reports: This overview gives you the compliance status for each Active report.

Overview of compliance status

Connect Other Environments with ACAT

Besides Azure, you could also connect other environments with ACAT, for example, connecting AWS for application built on both Azure and AWS, connecting GitHub to enable ACAT to help you collecting evidence automatically, etc. ACAT leads you to Microsoft Defender for Cloud to complete the connection.

Connect with AWS

  • Go to Environment settings on the left to browse all existing connections.
  • Select Add environment and then choose Amazon Web Services to create a connector with AWS. You could also learn more details from Connect AWS accounts to Microsoft Defender for Cloud.
  • Once this connector is ready, You could select AWS resources when creating the compliance report.

Learn more