Professional Documents
Culture Documents
Azure Expert MSP Full Audit Process and Checklist - V2
Azure Expert MSP Full Audit Process and Checklist - V2
Valid
July 1, 2022 – December 31, 2022
Published July 1, 2022. Not applicable for audits taking place outside of date range stated above.
This document is subject to change.
Page 2 of 51
Table of Contents
Table of Contents ........................................................................................................................................................................... 2
Introduction ...................................................................................................................................................................................... 3
Definition of an Azure Expert MSP .................................................................................................................... 3
Program Process ............................................................................................................................................................................. 4
Find your application status for the Azure Expert MSP program.................................................................. 4
Timing Considerations ........................................................................................................................................ 4
Process Overview ................................................................................................................................................. 5
Renewal Cycle....................................................................................................................................................... 6
Program Pre-Requisites and Requirements ......................................................................................................................... 7
Azure Expert MSP Application Requirements.................................................................................................................. 7
Audit Process ................................................................................................................................................................................... 9
Audit Phases ................................................................................................................................................................................. 9
Glossary and audit phases and roles ............................................................................................................... 12
Glossary ........................................................................................................................................................................................12
Roles ..............................................................................................................................................................................................14
Payment Terms and Conditions..............................................................................................................................................14
Pricing Schedule................................................................................................................................................. 14
Payment Terms................................................................................................................................................... 14
Scoring Methodology ....................................................................................................................................... 14
Sample audit Score ...................................................................................................................................................................15
Azure Expert MSP audit checklist ...........................................................................................................................................16
Audit Terms and Definitions ....................................................................................................................................................47
FAQ ....................................................................................................................................................................................................48
Updates to this document from V1.9 Checklist ................................................................................................................49
Introduction
Azure Expert MSP is a program available as part of the Microsoft Partner Network. The program is
designed to ensure that customers and Microsoft field personnel can connect with the most capable Azure
managed service providers to meet specific business needs, with the following goals:
Make the most relevant and capable managed services partners discoverable to customers.
Recognize partners’ proven capabilities and specialization in harnessing Azure services in tandem with
their service management expertise to deliver business solutions for their customers.
Differentiate MSPs who have passed a rigorous audit of their IT service management capabilities (across
people, process, and technology), and have demonstrated an ability to deliver consistent, repeatable
high-fidelity managed services on Azure.
The Azure Expert MSP program is designed for partners who offer full lifecycle managed services to customers.
It is not suited to partners who offer or deliver managed services through an indirect channel.
Microsoft employs an independent third-party audit company to assess compliance against the Azure Expert
MSP audit requirements. The Azure Expert MSP audit is a systematic, independent, and documented process
for obtaining evidence and evaluating objectively to determine the extent to which audit criteria are met.
This document defines the requirements for the Azure Expert MSP program and provides guidelines for the
auditing process.
Azure Expert MSP status is aimed at partners who already have an established Azure managed services practice
and have a minimum of 25 customers using their cloud management platform for the provisioning and
management of services.
Azure Expert MSPs are a highly evolved group of managed services partners. The core of an Azure Expert MSP’s
business places a significantly higher focus on “Automation & Dev-Ops” over traditional MSP’s who focus on
the people & processes associated with the customer lifecycle. Azure Expert MSPs are highly technical
organizations with skillsets across DevOps/Sysops, architecting cloud solutions and technical professional
consulting. An Azure Expert MSP pivots on business outcomes of their customer’s solutions and applications,
and not on workloads or offers.
An Azure Expert MSP must offer repeatable, highly automated solutions to enable and support hyper-scale
cloud implementations. Their service follows an agile customer-driven design, and mixes consultancy,
migration, and management to evolve a customer from a “Design, Build, Operate” process to a dynamic
“Design, Optimize, Transform” cycle. Focus is on creating end-user value through business value metrics, SLAs,
resiliency, and continual optimization to drive outcomes for customers.
Program Process
Find your application status for the Azure Expert MSP program
Timing Considerations
Partners must meet all pre-requisites and submit admissible customer evidence before they can schedule their
audit.
IMPORTANT NOTE: Partners will be audited against the version of the audit checklist that
is current at the time of their audit, irrespective of the date they began their application.
Audit checklists are updated twice per year. The last day to apply for the program to
guarantee that you can audit against the current version of the checklist is 60 days before
the end of the effective date window for the current checklist.
Customer evidence phase reviews could require up to 30 days to be processed upon partner submission. If the
partner does not submit admissible customer evidence within 30 days upon initial customer evidence
submission, then their application will expire, and they will need to re-start the application process and re-
submit entirely.
Partners new to the program have 120 days from the date of notification of a successful customer evidence
phase application to schedule and complete the audit, including any gap review required in order to consider
the audit complete. We ask that partners schedule their audits no later than 90 days into their 120-day window.
Audits must be scheduled at least 30 days in advance and are subject to auditor availability.
Partners renewing into the program have 75 days to complete their application and audit, including gap
review, starting 45 days before their anniversary date and ending 30 days after their anniversary date. We ask
that renewing partners schedule audits no later than 20 days after their anniversary date.
Process Overview
Microsoft uses an independent third-party audit company, Information Security Systems International, LLC
(ISSI), to schedule and conduct Azure MSP audits.
Recommended: Please review the audit checklist thoroughly and do not begin your
application unless you are ready to undertake the audit. All pre-requisites must be met
before you can begin your application.
2 Review and validate customer evidence. Advise the partner that their customer evidence Microsoft
phase is complete, and they are approved to progress to the audit phase
3 Confirm to 3rd party audit company that partner is eligible for audit Microsoft
4 Schedule and confirm audit within 48 hours ISSI and Partner
5 Conduct pre-audit assessment (can take place before application if desired, pre-audit ISSI
assessment can be waived if partner engages 3rd party auditor for consulting)
6 For new audits, conduct the audit within 120 days of the approval for audit date. If ISSI
renewing, the audit window is 75 days, starting 45 days before the partner’s anniversary
date. Audit should be scheduled with at least 30 days remaining in the 120-day new
partner audit window or 15 days remaining in the 75 day renewal audit periods.
7 Provide gap report to partner listing open action items* ISSI
8 Provide your assigned auditor any responses to open action items in gap review meeting, Partner
required*
9 Submit Final Report to partner and Pass or No Pass Report to Microsoft ISSI
10 Confirm all requirements have been met for Azure Expert MSP Program and update Microsoft
partner on membership status
*These steps will be skipped if the partner has no open action items after the audit. If required, all steps related to
the gap assessment must be completed within the 120-day audit period. Microsoft must receive the partner’s pass
report within 120 days of approval to audit. If renewing, the audit, all gap assessment actions, and the pass report
must be completed within the 75-day renewal window.
Renewal Cycle
To retain Azure Expert MSP status, partners must continue to meet all pre-requisites annually, understanding
that the pre-requisites and the audit checklist are updated twice annually as mentioned, in order to reflect
technology and market advances.
Renewing partners must complete the pre-requisites, customer evidence and audit phases within the renewal
window for both progress audits and full audits. The renewal window opens 45 days ahead of each partner’s
anniversary date and closes 30 days after. All three phases must be completed within this window. We
encourage all partners to start the renewal process as soon as the renewal window opens.
Renewing partners will be required to undergo a progress audit in subsequent years once annually till the third
consecutive year of membership in the program. The progress audit will focus on (but is not limited to):
Changes and improvements to the partner’s managed services operations and activities
Any new Azure Expert MSP Program Requirements added to this document since the previous audit
Validation of any new tools implemented since the last audit
Requirement Description
ACR is calculated at a virtual organization (VORG) parent level. We will not combine
ACR from multiple VORGs to calculate ACR. The minimum ACR monthly consumption
revenue requirement must be met for 3 consecutive months to be considered
monthly run-rate (MRR).
Support Contract Partner must have either Advanced Support for Partners or Premier Support for
Partners covering Azure. More information is available here:
https://partner.microsoft.com/support/partnersupport
Marketing Presence Partner must have an Azure focused Consulting Services offering published in one of
on one of the the qualifying Microsoft sites here:
qualifying AppSource
Microsoft Sites Azure Marketplace
Marketing of Azure Please submit the URL for the website where your Azure MSP solution is marketed
MSP offerings on as part of your customer evidence:
partner sites https://partner.microsoft.com/dashboard/mpn/program/azureexpertmsp
Must have a CSP CSP Direct Reseller and CSP Indirect Reseller contracts are accepted. CSP Indirect
contract in place Provider does not qualify
Find out more: https://partner.microsoft.com/cloud-solution-provider
Certified Staff Partner must have a minimum total of 15 FTE individuals who are employed by the
company, and who each have completed one of the qualifying exams and
certifications.
While retired exams are valid for 1 year post retirement, new and renewing partners
will be expected and encouraged to undertake the latest exams in market at the time
of their application or re-application.
Customer Evidence Partner must provide evidence of four (4) Azure customer references, including one
(1) public reference with a published case study. Customer references must be for
customer engagements started no longer than 12 months prior to the Azure Expert
MSP program application date.
All customer evidence must meet the minimum standard as outlined in the
templates available on the application form:
https://partner.microsoft.com/dashboard/mpn/program/azureexpertmsp
Audit Process
Audit Phases
• Audit scheduling phase
• Pre-audit assessment phase
• Audit phase
• Gap review phase
Once a partner meets all program pre-requisites and customer evidence requirements, Microsoft will pass
their details to the audit company.
Partners will receive a communication from the auditor asking them to propose dates for their pre-audit
assessment and audit.
Note: partners cannot schedule their pre-audit assessment or audit until they have met all other program
pre-requisites and customer evidence requirements (see program pre-requisites).
The audit company will make every effort to accommodate the partner’s requested audit date and will
attempt to schedule an auditor in the region closest to the onsite audit location to minimize travel costs if
audit is onsite. Once the date and auditor are confirmed, the partner will be provided with a detailed
confirmation for the audit day(s).
Audits must be booked a minimum of 30 calendar days in advance. Partners have a maximum of 120
calendar days from notification of a successful application to schedule and complete their audit, including
any gap review required as a result of the audit and sufficient time for ISSI to send and Microsoft to receive
and review the final audit report.
Prior to the pre-audit assessment, the partner is expected to review the audit checklist and prepare
questions for the auditor around the audit process. The intention of the pre-audit assessment is to enable
9 Azure Expert MSP full audit checklist: v2 preview
Page 10 of 51
the partner to have a general discussion about the audit scope, expectations, and guidance on who should
present required evidence during the audit, ensuring you are adequately prepared.
* Please note there is a cost associated with the pre-audit assessment and audit. See Payment Terms and Conditions
The pre-audit assessment is mandatory for the full audit. The pre-audit assessment may be waived if the
partner engages with ISSI for consulting.
Note: pre-audit assessments for audits may not be scheduled before all pre-requisites are met.
During a progress audit, pre-audit assessments may be scheduled at any time after release of the checklist.
Partners work directly with ISSI to schedule this remote session (online web conference) which covers the
following:
The audit is conducted using your preferred conferencing platform. The duration is typically 6-8 hours.
Partners review the full audit requirements and discuss the required evidence with an experienced MSP
auditor
To ensure objectivity, the audit is conducted by someone other than your assigned auditor
Partners receive a written report detailing discussions from the pre-audit assessment
It is recommended to schedule this session at least three (3) weeks prior to your full audit
* Please note there is a cost associated with the pre-audit assessment. See Payment Terms and Conditions
Audit phase
Prior to the full audit, the partner is expected to have undertaken a thorough review of the audit checklist,
compiled all required evidence, and ensured the right subject matter experts are available to present the
required evidence. This is often a significant undertaking, requiring several hundreds of man-hours of
preparation.
The Azure MSP audit is conducted over two days, onsite at the partner’s nominated cloud operations center
or online using Microsoft Teams until pandemic related restrictions are lifted.
An agenda will be provided to the partner upon confirmation of the audit date. During the audit, the partner
must provide access to the appropriate personnel who can discuss and disclose evidence to demonstrate
compliance to program requirements. Subject matter experts (SMEs) for each section are highly
recommended to attend.
On the day of the audit, the partner must be prepared to provide the auditor with access to live
demonstrations, documents, and personnel as necessary to demonstrate compliance to requirements.
During the audit, the auditor will seek to verify whether the partner can provide satisfactory evidence to show
they meet all required audit checklist items.
The partner will receive a gap report detailing the open action items with the required outstanding evidence
within 48 business hours from the audit. Upon receipt of the gap report, the partner has 48 business hours to
acknowledge receipt and schedule a gap review meeting. The gap review meeting is conducted over Microsoft
Teams with the auditor and must take place within thirty (30) calendar days of when the gap report was sent,
and last no more than three (3) hours. During the gap review meeting the partner must present evidence to
address all the open action items.
There are two possible outcomes at the end of the gap review meeting:
(1) The partner passes the audit:
a. The auditor will confirm the partner has satisfied the required evidence during the gap review
meeting
b. The auditor will provide a final report to the partner
c. The auditor will send a pass report to Microsoft (subject to Payment Terms and Conditions)
(2) The partner does not satisfy all checklist items during the gap review meeting:
a. The auditor will present a brief synopsis of the audit, including missed items
b. The partner will receive a final report detailing the missed items
c. The auditor will send a no pass report to Microsoft
If the partner is still unable to provide evidence that satisfies the auditor during their gap review meeting,
they will be deemed to have failed the audit and will need to begin the application process again.
Glossary
Pre-audit assessment
Audit
Opportunities for Improvement
Open Action Items
Gap Report
Gap review meeting
Missed Items
Final Report
Pass Report
No Pass Report
NOTE: Renewing partners should refer to the progress audit checklist for stages and timings. The
information below refers to full audits only.
Pre-audit assessment
A one-day remote assessment checking partner understanding for audit and giving guidance on preparation
for the audit.
Audit
Two-day audit. Carried out by a qualified ISSI auditor at the partner’s primary Cloud Operations Center or via
Microsoft Teams until pandemic restrictions are lifted. Partners must present evidence for 100% of Category 0
and Category 1 checklist items. Partners may choose not to present evidence for 100% of Category 2 or
Category 3 checklist items, but they must still meet the minimum pass threshold for these categories (See
Scoring).
Gap Report
Open Action Items are listed in the Gap Report, which will be sent to partners within 48 business hours of their
Evidence Review Meeting. The Gap Report will detail all Open Action Items, and details the evidence still
required. Partners have 48 business hours to acknowledge receipt and to schedule a gap review meeting. The
gap review meeting must take place within thirty (30) calendar days of the Gap Report being issued. Note: Only
checklist items from Category 1, 2 and 3 may be recorded as Open Action Item. Partners must pass 100% of all
Category 0 checklist items during the audit.
Missed Items
If the auditor deems that the partner has failed to demonstrate the required evidence for an audit checklist
item during the gap review meeting, these will be recorded as missed items and will be included in the Final
Report.
Final Report
The Final Report is provided to the partner and denotes whether they earn a Pass or No Pass in the audit. Final
Reports showing a “Pass” can be issued at the end of either the audit or the gap review meeting. Final Reports
showing a “No Pass” will be issued after the gap review meeting or, in the case where a partner chooses not to
proceed to a gap review meeting or fails to acknowledge receipt of the Gap Report within specified duration of
time.
Pass Report
The Pass Report is a summary report sent to Microsoft indicating the partner’s overall scores for each category
and section and indicates a “Pass” status.
No Pass Report
The No Pass Report is a summary report sent to Microsoft indicating the partner’s overall scores for each
category and section and indicates a “No Pass” status.
Roles
Role of the Auditor
It is the role of the auditor to review submitted evidence and objectively assess if the evidence provided
satisfies the audit checklist requirements. The auditor will select and evaluate evidence, based on samples of
the information available, from live systems. The appropriate use of such sampling is closely related to the
confidence that can be placed in the audit conclusions. All ISSI auditors are under nondisclosure agreement
(NDA) with Microsoft. Auditors will also comply with requests from partners to sign a direct NDA.
Pricing Schedule
Pre-audit assessment: USD$2,000
Audit: USD$6,000 + T&E
Payment Terms
The cost of the audit, and pre-audit assessment if selected, is payable in full to the audit company, and
must be settled before the audit or pre-audit assessment. Failure to pay will result in cancellation of the
audit.
Scoring Methodology
The audit checklist is comprised of 60 checklist items divided into 6 sections and 4 categories.
The partner score is based on the total number of Category 0, 1, 2, and 3 requirements verified.
14 Azure Expert MSP full audit checklist: v2 preview
Page 15 of 51
Partners must meet the minimum scores by category to pass, whilst providing adequate evidence
demonstrating existence, effectiveness and efficiency of processes, policies, procedures, and tooling against
the checklist item being assessed.
The following table outlines the passing score criteria by each category listed in the audit checklist:
The following table illustrates a sample audit scorecard for demonstrating compliance across each of the
audit categories in the checklist:
Example minimum
# of Requirements
Requirements Section viable partner score
TOTAL 10 36 9 5 10 36 7 2
The Azure Expert MSP V2 checklist is made up of 60 checklist controls. For some controls, a reference customer
or customer evidence is required as part of the documentation requested. This is different from the customer
evidence supplied during the initial Customer Evidence phase of the application process. For audit evidence
relating to customer engagements, you must present evidence from different customers in each section
(1-6) – the same customer may not be used for evidence in more than one section except in controls 2.1
and 4.17 where customers used in other sections may be reused. Evidence from a minimum of 25 distinct
customers that have been actively managed for a minimum of 90 days as of the start of the audit process will
be required during the audit.
Partner must demonstrate business and financial health and must provide evidence of commitment to and
focus on providing Azure cloud managed services to customers
Partner roles required
Executive team, human resources, business development/sales/account managers, finance (CFO)
Requirement Category Met
(Y/N)
1.1 Positioning and messaging of your Azure managed services offerings Category 1
Partner must provide an overview of their business, and their relationship with
Microsoft. The overview must address:
Company history and structure
Partner capabilities around Azure managed services
Company resources utilized and invested towards your Azure managed
services practice covering people, processes, and technology
Location of your primary cloud operations center(s), and all other secondary
facilities supporting your Azure managed service practice
Revenues of Azure managed services compared to your overall business.
Overview of your customer life-cycle management (e.g., automated
monitoring tools, provisioning and orchestration scripts, migration,
provisioning portals, billing management tools, IT service management tools
and framework etc.)
Relevant strategic alliances and customer base (including targeted verticals)
Competitive differentiation and ROI, quantitative business outcomes
Include information on your business model (IaaS, SaaS, PaaS)
Required evidence:
Present to the auditor as if customer facing, and for no longer than 30 minutes.
Presentation content must include material used for customer presentations in the
last 12 months that represents your customer sales pitch.
Required evidence:
Records of company financial health from the previous fiscal year. Records
must include either Dun & Bradstreet Reports, Audited Financials, Paydex
scores, Risk Ratings, or third-party credit reporting agency reports.
1.3 Thought leadership Category 2
Partner must be able to provide examples of cloud managed services related
thought leadership.
Required evidence:
Examples of Thought Leadership published by Company and/or key personnel
within your organization. (e.g., LinkedIn articles, whitepapers, blogs, videos,
major conference presentations online, etc.) about Azure managed services,
current as of 18 months from the audit date.
1.4 Succession planning Category 1
Partner must be able to describe the following:
Succession planning for key personnel within your Azure managed services
practice (e.g.: Azure practice lead or similar position onwards to rest of Azure
practice personnel)
Approach to retain Azure managed service practice top talent
Required evidence:
Succession plan for key personnel within your Azure managed services practice
including those responsible for managing the managed service practice at the
leadership level.
1.5 Personnel training Category 0
Partner must select and train personnel as appropriate. Records must be
maintained.
Required evidence:
Evidence of personnel training plans and records. Partner must provide
evidence of documented training plans for internal personnel, including:
New hire training requirements
Ongoing training and sharing of best practices
Training for sales and technical personnel on new products, protocols, and
features
Solution selling to business decision makers
Hiring and retention of Microsoft certified personnel
Required evidence:
Documented process, and the relevant evidence for managing the complete set of
services. Process must include methods for financial management, including
budgeting and pricing. Partners must have a clear pricing model, including
customer facing presentation on Azure Hybrid benefits. Consumption based,
tiering, flexible options for professional services.
1.7 Sales Support Materials Category 1
Partner must have material to support sales personnel, including:
Azure practice website that can be accessed by the sales team containing
the services catalog and whitepapers
Detailed Sales Processes
Required Evidence:
Documentation as described above or equivalent, that are used to support sales.
Evidence must cover the scope of all bullets listed above.
1.8 Partner Cloud Center of Excellence (CCoE). Category 1
A CCoE is a team of people dedicated to creating, evangelizing, and establishing
best practices, frameworks, and governance for evolving technology operations.
This team becomes a central force through which the organization can deliver
innovation and continuously evolve the way that it manages its customers in
Azure.
It is critical for an Azure Expert MSP to have developed and maintain a CCoE to
enable leveraging of best practices across the organization and across the breadth
of their offered services.
Required Evidence:
Evidence of a CCoE must be in the form of documented charter, organization
structure, functional roles, and operational process for the CCoE and how it
engages across the partner’s business. This should include evidence of two (2)
launched managed services offerings developed via the CCoE listed in partner
service catalog or customer facing materials, along with evidence of rollout of
offerings across the organization via Sales Support Materials.
Customers who are looking for service providers to move and manage their cloud estates require partners who
demonstrate breadth and depth of expertise in the range of services the cloud vendor offers. They must function
as a trusted advisor to lead customers on how best to uniquely use different Azure services and to architect
solutions that meet the customers’ business needs effectively and efficiently. Partners must demonstrate strong
capabilities to architect and deploy solutions on Azure (including automated provisioning/deprovisioning of
environments, resources, and services) and show evidence of being able to effectively monitor, govern and
operate these Azure estates on-behalf of their customers using Azure’s native capabilities, across the life cycle.
Partner roles required
Cloud solution architects, cloud/platform engineers, service engineers
Requirement Category Met
(Y/N)
2.1 Azure Services Category 0
Customer objectives will determine which Azure services are used when designing and
building operationally sustainable solutions for the customer. Azure Expert MSPs must
demonstrate proficiency in core and fundamental Azure services so that they can
confidently lead customers during their cloud and transformation journey.
Customers should be able to either access the Cloud Management Portal or Azure portal
directly (governed via Policy, access control and other governance rules) to provision
these Azure services while still relying on the partner for on-going management,
support, and governance (optimal) or, have access to a well-defined catalog of Azure
services that the partner is able to deploy, support, manage and govern on-behalf-of the
customer (less optimal).
Required evidence:
Verifiable asset or demonstration that the partner can effectively use the specific Azure
capability/service either standalone or as part of a composite solution comprising
multiple Azure services:
• It is preferred that evidence of an active Azure services customer be used.
• Hypothetical use cases: If a required Azure Service is not currently being used by
an active customer, a use case / demonstration in a hypothetical customer
environment and/or test environment is required. These provide lesser points.
• Acceptable evidence includes a step-by-step walk through of how the partner
did provision (or would provision if hypothetical), configure, change/update and
delete the service, starting with Azure portal / partners’ service catalog / UI or CLI
/ Scripting and ARM Templates, moving on to showcase policy definitions
available/applicable in template form. This can be accompanied by architectural
designs as an option.
Scoring
• You must demonstrate evidence from a minimum of 25 distinct customers
throughout section 2.1
Azure Expert MSPs need to accumulate the minimum required points in this section for a
passing grade:
• The total minimum score required is 890 points – additional minimums per sub-
section and customer environment apply:
• Partners must register a score for each row in the table below that is marked
required. Only one score per row applies – either customer environment or
hypothetical use. Column scores cannot be added together in the same row. At
least one of the required pieces of evidence submitted in this section must
relate to Windows Server on-premises customer migration to Azure.
Required Evidence:
Implemented customer design
Partner evidence must include implemented customer design with demonstrated
production or test/UAT environments for Cloud DevOps ready and/or Cloud Native
applications. See audit terms section for cloud-native and cloud-DevOps-ready
definitions.
And
Documentation must include three (3) of the artifacts below:
• Project plan
• Functional specifications
• Architectural diagram
• Automated tooling reports
• Physical and logical diagrams
• UAT testing output
• Business Value Analysis
The partner must have identified and provided documented customer trade-offs in
the deployed design plan for the appropriate cloud-native or cloud-DevOps-ready
solutions when meeting the requirements of the customers' apps, and be able to
demonstrate two (2) of the following scenarios:
Module 3A
If a partner has passed Module A Cloud Foundation as part of an Azure advanced specialization audit, this
module is not required as part of this audit and can be skipped. This module is required if a partner has never
audited and passed Module A as part of an advanced specialization audit.
Requirement Category Met
(Y/N)
3A.1 Strategy Category 1
(Previously Partner must have a defined approach for helping the customer evaluate
3.1) and define a cloud adoption strategy beyond an individual asset (app, VM,
or data).
• An initial total cost of ownership estimate and ROI for Azure, using the
Azure pricing calculator or other methodology from at least two (2)
customers.
•
• Options for long-term management or managed services to support
Azure services post deployment, whether it is to be delivered by the
same partner or not.
Required evidence:
A report, presentation, or document that captures strategic inputs and
decisions for two (2) Azure customers. The Strategy and Plan template in
the cloud adoption framework can serve as an example of one way to
present this data.
3A.2 Plan Category 1
(Previously Partner must have a consistent approach to planning for cloud adoption
3.2) based on the strategy.
Partner must have a process for assessing risks and potential roadblocks
during cloud adoption.
• Digital estate rationalization
• Organization alignment
• Skills readiness
25 Azure Expert MSP full audit checklist: v2 preview
Page 26 of 51
Required evidence:
Links to completed SMART assessments for migration projects, or
output from similar assessment tooling, for two (2) Azure customer
projects.
3A.3 Azure landing zone Category 1
(Previously Partner must be able to demonstrate that the following design areas are
3.3) addressed through their landing zone implementation approach:
Repeatable deployment
The partner must demonstrate adherence to Azure landing zone design areas
through a repeatable deployment. The deployment should configure, at
minimum, the following identity, network, and resource organization attributes:
• Identity
o Adoption of identity management solutions, such as Azure
Active Directory or equivalent.
• Resource organization
o Implementation of tagging and naming standards during the
project.
The partner should be able to demonstrate which of the following
approaches they use when they deploy Azure landing zones:
1. Start small and expand: Azure landing zone does not deploy
governance or operations configurations, which are addressed
later in the implementation.
Required evidence:
Deployment evidence may be provided in the form of multiple different
deployments or scripts. The partner must be able to demonstrate repeatable
deployment of each landing zone requirement for at least two (2) unique
customers to pass this portion of the audit.
Required evidence:
Partner must demonstrate usage of tools, templates, or architecture
approaches used to implement at least three (3) of the governance
disciplines listed below, for two (2) Azure customer projects. A
combination of customer projects can be used to demonstrate the three
disciplines. The selected governance disciplines may be repeated across
the two (2) demonstrated customer projects.
1. Cost management
• Evidence: Cost Management service is turned on in Azure, or use
of a 3rd party service/tool that performs this
2. Security baseline
• Evidence: Security Center or Azure Sentinel service is turned on in
Azure, or use of a 3rd party service/tool that performs this
3. Identity baseline, for example:
• Evidence: RBAC or Azure Active Directory service is turned on, or
use of a 3rd party service/tool that performs this
4. Resource consistency, for example:
• Evidence: Use of Azure management groups and subscriptions,
Azure Blueprints, Azure Policy, or a 3rd party service/tool that
performs these tasks
5. Deployment automation
• Evidence: Use of deployment automation tooling, for example:
o Azure DevOps
o Azure Pipelines
o Infrastructure as code (Azure Resource Manager,
Terraform)
o GitHub Actions
o Jenkins
o Ansible
Required Evidence:
These capabilities must be demonstrated through a review of the systems
used to operate at least two (2) customers’ Azure environment. For
cloud-native operations, the partner must be able to demonstrate use of
Azure Monitor, Azure Log Analytics, Azure automation, update
management solution, change tracking & inventory solution, and Azure
Backup (or third party equivalent capable of accessing data from the Azure
environment.)
Note: For workloads or assets that don’t require persistent state or are
managed through DevOps pipelines, demonstration of the repeatable
deployment pipeline is sufficient to demonstrate operational compliance
and recoverability, as long as the partner can demonstrate regular
deployments from the referenced deployment pipeline.
Module 3B
All partners are required to take this module, regardless of previous or current active Azure advanced
specialization designations.
Requirement Category Met
(Y/N)
3B.1 Adopt
Required evidence:
Description of design process and the relevant design documents, workflow
diagrams and evidence for at least two (2) unique projects to show the
entire design cycle. Evidence must also include ongoing assessments that are
scheduled with current customers and aligned to or similar to the best
practices and reference architectures described in the migration section of the
Cloud Adoption Framework(CAF)
3B.1.2 Assessment and design tools Category 1
Partner must demonstrate specific owned products/tools used during the
standard assessment and design, including for assessment of customer
infrastructure and processes, and for design and development of a migration
strategy.
Required evidence:
Demonstrations of products/tools and/or APIs used by partner for assessment
and design, including tools for discovery, assessment, and planning. The
auditor will also review use cases with at least three (3) customers to
demonstrate consistent use of best practices.
Either:
- Partners must prove experience using native Azure migration tools by
obtaining at least 100 points in the Migration Section 2.1
29 Azure Expert MSP full audit checklist: v2 preview
Page 30 of 51
Or:
- Partners can leverage Microsoft or 3rd party tools that are mentioned on
the Azure Migration webpage. In this scenario, Partners can demonstrate
experience by either of the following:
o Referencing the tools used in three (3) Statements of Work to
assess viability of the customer migration to Azure provided
above.
OR
o Providing snapshots of results/output file from the tools that were
used for successfully complete the three (3) customer Cloud
Assessments above.
3B.1.3 Cloud migration practice for Azure Category 1
Partner must have a public facing webpage demonstrating cloud migration
approach and capability.
Required Evidence
Partner must demonstrate their publicly available website promoting the
cloud migration practice, which should mention migration to Azure.
The website must also contain or link to at least two (2) unique customer
case studies from at least two (2) migration scenarios listed below:
- Rehost Windows servers on Azure
- Rehost SQL on Azure
- Refactor SQL on Azure
- Rehost Linux servers on Azure
Required Evidence:
The partner must hold an active Windows Server and SQL Server Migration to
Microsoft Azure advanced specialization or an active Linux and OSS
Databases Migration to Microsoft Azure advanced specialization.
Or
Partner must provide description of infrastructure migration with relevant
migration design documents and completed migration records for three (3)
customer projects across both infrastructure migration scenarios below:
- Rehost Windows Servers on Azure
- Rehost Linux on Azure
Required evidence:
1. Partner must hold an active Windows Server and SQL Server Migration to
Microsoft Azure advanced specialization or an active Linux and OSS
Databases Migration to Microsoft Azure advanced specialization.
Or
2. Partner must provide description of database migration with relevant
migration design documents for at least two (2) projects from each of the
two scenarios below:
• Rehost SQL on Azure (to SQL IaaS)
• Replatform SQL on Azure (to SQL Database or SQL Managed Instance)
And
Also provide a minimum of two (2) projects from two (2) distinct
scenarios selected from the nine (9) migration scenarios highlighted
below:
- Rehost Postgre SQL on Azure
- Rehost MySQL on Azure
- Rehost MariaDB on Azure
- Refactor Postgre SQL on Azure
- Refactor MySQL on Azure
- Refactor MariaDB on Azure
- Rearchitect Postgre SQL on Azure
- Rearchitect MySQL on Azure
- Rearchitect MariaDB on Azure
The above evidence should total four (4) unique projects from a minimum of
two (2) customers.
Description of the mitigation plan if any, of the migration steps failed, and the
rollback strategy.
3B.1.6 Application migration Category 0
Partner must have documented and demonstrated application migration
capability. Design documents (provided in Section 3B.1.1) must include an
application migration overview that allows tooling to abstract application
deployment from infrastructure deployment, and allows customers to
independently or, in conjunction with the managed service, deploy and
configure their applications.
Required evidence:
Partner must hold an active Modernization of Web Applications in Microsoft
Azure or an active Kubernetes on Microsoft Azure advanced specialization.
Or
Partners must provide description of application migration with relevant
migration design documents for at least one (1) project from any one (1) of
the five (5) migration scenarios highlighted below:
- Refactor web applications on Azure
- Rearchitect web applications on Azure
- Rebuild web applications on Azure
- Rearchitect applications with Azure Kubernetes Service
- Rebuild applications with Azure Kubernetes Service and Azure Containers
3B.2 Governance
Required Evidence:
Documented Security Policies and Procedures (such as ensuring just-enough
and just-in-time access with multi-factor authentication implemented as
necessary for access to customer environments) and relevant evidence of
physical, network, server, and logical data security implementation.
OR
If the partner has an active ISO 27001 certification, proof of certification may
count as evidence.
3B.2.4 Review and testing of partner information security policies and Category 0
procedures
Required evidence:
Records of security policy review, approval, communication, and periodic
auditing/testing. Records of periodic auditing/testing must identify the item
under test, the results, and suggestions and recommendation for
improvement, as well as evidence of actions being taken.
OR
If the partner has an active ISO 27001 certification, proof of certification may
count as evidence.
3B.2.5 Account credential management Category 2
Partner must provide documentation of process and tools to demonstrate
how credentials and role-based access control for Azure related service
accounts are managed and secured (e.g., for monitoring, etc.), for customer
staff (where customer retains access to Azure resources), and/or for
authorized personnel of the partner. Specifically:
• Partners’ staff must use Role Based Access Control (RBAC) as defined
by Cloud Adoption Framework (LINK) for accessing customers’ Azure
environment
• RBAC for MSP staff should be applied towards precise customer scope
to be managed.
Required evidence:
Demonstrations of products/tools/process used for credential management,
as well as documented process flow and approval process
1. For at least two (2) customers, demonstrate two (2) of following three (3)
scenarios:
• The Owner role for accessing customers’ resources.
• The Contributor role for accessing customers’ resources.
• The Reader role for accessing customers’ resources.
2. For at least two (2) customers, demonstrate at least one (1) of the following:
• In ‘My Customer -Delegation’ pane in Azure Portal, enabled through Azure
Lighthouse, demonstrate access to different customers’ scopes, such as,
resource groups or subscriptions with different RBAC permissions as
defined in number 1 above.
• For MSPs servicing EA customers, the guest access is limited to specific
scope, for example specific resource groups or subscriptions, and the
access uses RBAC granularly.
• If MSP is servicing customers through CSP, then there are groups or
individuals in MSP staff with non-owner access to customers’
environment.
Required evidence:
Documented Business Continuity/Disaster Recovery Plan, including evidence
of personnel awareness of the plan; plan must include all foreseeable
scenarios that may affect the partner’s ability to provide its services, and the
corresponding response plans including recovery.
3B.2.7 Business continuity and disaster recovery testing Category 1
Partner must provide evidence that Business Continuity and Disaster Recovery
Plans are tested periodically (minimum once per year).
Required evidence:
Records of at least annual Business Continuity and Disaster Recovery Plan
testing, including testing of all scenarios as identified in section 3B.2.6
through simulated test conditions. Where it is not feasible to simulate a test
condition, evidence of alternative validation or verification must be provided.
3B.2.8 Geographic security & governance compliance Category 1
Partner must provide evidence of compliance to geographically specific
legislative security and governance requirements which are also available for
Azure, as of the audit date, as listed here:
https://www.microsoft.com/trustcenter/compliance/complianceofferings
Required evidence:
Evidence of identification of applicable local and national security, and
governance requirements and records of legislative compliance (e.g., through
certification, attestation, etc.).
3B.2.9 ISO 27001 certification Category 3
Partner must be certified to the ISO 27001 Standard for Information Security
Management.
Required evidence:
Current ISO 27001 certificate, scoped to the partner’s cloud managed service
practice.
3B.2.10 ISO 22301 certification Category 3
Partner must be certified to the ISO 22301 Standard for Business Continuity
Management.
Required evidence:
Current ISO 22301 certificate scoped to the partner’s cloud managed service
practice.
3B.3 Manage
Required evidence:
The partner can demonstrate any improvements on the operations baseline
that align to the value-add services they offer. But those services must be
applied consistently across the customer environment to qualify as an
enhanced baseline; evidence from at least two (2) customers is required.
See the table on the enhanced baseline article of CAF for more examples.
3B.3.2 Workload operations Category 2
Any workloads that are deemed mission-critical by the customer will require
more than an enhanced baseline or platform operations. Partner must
demonstrate how they manage mission-critical workloads.
Required evidence:
Evidence option 1: Documentation in the partner offering that clearly states
that the partner is not responsible for supporting mission-critical workloads.
Required evidence:
Partner must provide public facing marketing material in the form of a web
page or listing on the Azure Marketplace that clearly communicates their
baseline, enhanced baseline, platform operations, and workload operations
capabilities. The same terminology must be used in binding customer
contracts for at least two (2) customers to demonstrate which levels of
documented support the customer will receive.
Required evidence:
Partner must provide evidence for each of the following to pass this audit:
- Documented operational compliance, including configuration and
change management processes, and the relevant change and
configuration records for at least two (2) projects demonstrating how
the partner participated in delivering operational compliance using
their operations baseline.
- Documented onboarding including service validation and testing
processes, and the relevant service validation and testing records for at
least two (2) projects where customer was recently onboarded to
partner’s management umbrella, or a net new estate or service was
added to partner’s management umbrella for an existing customer.
Required evidence:
Demonstrated evidence of 24x7 customer support, showing that multiple customer
cases are received, logged, and responded to.
4.2 Help desk operational procedure Category 1
Partner must maintain help desk/service desk operational procedures and must
have methods for ensuring that support procedures are followed.
Partner must have documented support priority and severity level definition, and
corresponding help desk callback SLA policy.
Required evidence:
Documented help desk/service desk processes and callback policy, including
evidence that processes are implemented and records of activities. Evidence of
checks, verification or regularly conducted audits to ensure that support
procedures are followed and promised service-level objectives are met.
4.3 Escalation process Category 1
Partner must have a documented and robust escalation process through the
partner management structure and, when necessary, to Microsoft; and must explain
or show how escalations are handled.
Required evidence:
Documented escalation procedure(s) and demonstration of computer-based service
delivery system on escalation. There should also be evidence presented of previous
escalations to ensure that service-level agreements (SLA’s) were honored.
Help desk metrics can either be automated by the computer-based service delivery
system or complied manually. If compiled manually, partner must show how the
raw data are captured.
Required evidence:
Help desk metrics and an evidence log of actions taken to improve performance
must be presented.
4.5 Incident management process Category 0
Partner must maintain a documented incident management process, including
incident management tools (custom or 3rd party) that addresses incident
management requirements, and be ready to demonstrate live how incidents are
managed and escalated when necessary.
Required evidence:
Documented incident management processes, including how critical incidents are
handled and escalated where appropriate. Partner must demonstrate live how critical or
highest severity incidents are handled with records of activities.
4.6 Service, problem, and incident management tools Category 1
Partner must demonstrate specific products/tools/APIs (custom or 3rd party) used for
service management, problem management and incident management workflows,
including receiving and managing customer requests.
Required evidence:
Demonstrations of products/tools used for service management, including for
logging, and tracking of customer requests, capturing, and maintaining service
knowledge, and for providing self-service incident tracking to end customers.
Demonstration must be done in a customer-facing manner.
4.7 Non-Microsoft tools for workloads support Category 2
Partner must demonstrate additional non-Microsoft products and tools for supporting
runtime of workloads on Azure. These may include the use of external tools for
providing functionality such as 3rd party tools for CDN, 3rd party tools for DNS, 3rd party
tools for providing autoscaling, configuration management, service catalog, etc.
Required evidence:
Demonstrations and lists of additional tools and technology used for workloads
support. Demonstration must be done in a customer-facing manner and should include
evidence of use in multiple customer engagements.
Required evidence:
Documented event management processes. Partner must demonstrate live how
events are handled.
4.9 Problem management Category 1
Partner must maintain a documented problem management process, including tooling
(custom or 3rd party), and be ready to demonstrate live, root-cause analysis or problems
stemming from incidents with no available resolution that have been logged in a
known-errors database.
Required evidence:
Documented problem management process and live demonstration of problem
resolution, including records of activities with root causes identified. Evidence of entries
in a known-error database or knowledge base must be provided.
4.10 Configuration management database Category 2
Partner must be able to demonstrate use of a configuration management database
(CMDB).
Required evidence:
Demonstration of CMDB. e.g. partners use Azure as the source of truth for all deployed
infrastructure (VMs, etc.) and services, and are able to query the current state in or from
Azure (e.g. using Azure Resource Graph) and then update a centrally managed database
for Cloud VM configuration, in addition to other Configuration Items (CIs) that may
exist from on-premise infrastructure, etc. This CMDB (SQL database or any ITSM tool),
would give partners a central database that would make management tasks easier – for
example, when the root cause for an incident is determined, a scan against the CMDB
would determine which other resources (VMs, etc.) are impacted by the same issue
4.11 Asset management Category 2
Partner must implement formal methods and tools for asset management and asset
tracking.
Required evidence:
Demonstration of asset management and tracking tools/databases and APIs, including
evidence of an asset management strategy. Partner must also be able to produce a
report (during the audit) of currently active assets for a given customer, share resource
tagging strategy, demonstrate the ability to leverage custom resource tags to identify
and track Azure resources used - including documentation of types of assets tracked,
details for specific assets, and how these assets are integrated with internal asset
management systems.
The use of an Azure Arc enabled Server to perform asset management for virtual
machines is permitted.
Required evidence:
Demonstration of tools and methods for managing security events; records of actual
events must be provided; there must be a customer-notification SLA; Security event
records and logs must also be maintained for the agreed retention period. The process
must show how this is integrated with support operations.
4.13 Release management Category 1
Partner must have documented release management processes, including tooling
(custom or 3rd party), and must be able to demonstrate how releases are managed. This
must include a process for rolling back changes when necessary and must describe how
rollback is accomplished.
Required evidence:
Documented release management processes, and showcase of deployed tools,
including evidence that processes are implemented. Records of activities must be
provided, including records of rollbacks, if available.
4.14 Security management tools Category 1
Partner must demonstrate specific products/tools used for maintaining workload
security after migration to the cloud. Partner must use Multi-Factor Authentication.
Required evidence:
Demonstrations of products/tools used for security, including demonstration of
capabilities for MFA (multi-factor authentication) to access sensitive customer
environments, tools for preventing security breaches and for anomaly detection, and for
business continuity and disaster recovery. Demonstration must be done in a customer-
facing manner.
4.15 Third party service providers Category 1
Partner must have a process in place for evaluating and managing 3rd party service
providers.
Required evidence:
Description of 3rd party service provider (see Definitions) management process, and the
relevant evidence including records of 3rd party service provider evaluation and re-
evaluation, 3rd party service provider communication, performance monitoring, and 3rd
Party Service Provider agreement. Records must also specify how security compliance of
IaaS, PaaS or SaaS solutions has been addressed.
4.16 ISO 20000 certification Category 3
Partner must be certified to the ISO 20000 Standard for IT Service Management.
Required evidence:
Current ISO 20000 certificate, scoped to the partner’s cloud managed service practice.
Required evidence:
Partners should demonstrate all the following with a minimum of twenty-five (25)
customers:
Required evidence:
MSPs must demonstrate experience with at least one (1) of the following:
• Use of Azure Lighthouse to view Azure resource health or Log Analytics across
multiple customers.
• Use of Azure Lighthouse to apply policy and configuration across multiple
customers at scale GitHub.
• Use of partners’ own CMP or other 3rd party tools to monitor resource health
across multiple customers.
• Use of partners’ own CMP or other 3rd party automation, configuration, and
DevOps tools to apply policy and configuration across multiple customers at
scale.
Required evidence:
Evidence of SLAs, SLOs, KPIs or metrics for response time, turnaround time,
average/expected service objective satisfaction rates for customer-initiated
change/requests. Evidence must show integration of Cloud SLAs in service
management tool and provide at least two (2) customer contracts where Cloud SLA
have been adopted.
5.2 SLA management Category 1
Partner must have a process for managing the SLA/SLO including reviewing and
reporting of SLA/SLO with the customer, handling of customer issues and contract
renewal. Partner must provide adequate best practices and have ongoing review
process in place to ensure that partner continues to meet SLA/SLO commitments.
Required evidence:
Description of SLA/SLO management process. Partner must provide examples of
SLA/SLO compliance best practices (e.g., dedicated Account Manager assigned to
customers, face-to-face regular review/business review meeting, customer-facing
performance report which includes trending, suggested improvement, etc.).
5.3 Customer satisfaction Category 1
Partner must have a documented process to continually improve customer
satisfaction. The process must include:
Identify the type of data (qualitative and quantitative) to be collected.
Collect, review, and analyse these data.
Identify gaps in customer satisfaction and customer issues.
Action plan and timeline to address gaps and customer issues.
Required evidence:
Documented customer satisfaction processes and evidence of customer
satisfaction data, analysis, and action to address gaps and customer issues. Net
promoter score or other survey approaches are also accepted as part of
evidence.
Required evidence:
Records of internal reviews for 1 (one) customer across all of partner’s Azure sales,
delivery and operations teams to measure/report on the health of each of the
service objectives highlighted within this section.
Partner must have a documented continual improvement methodology and evidence that continual
improvement is a permanent objective
Partner roles required
Business optimization manager, head of operational excellence, process improvement manager
Requirement Category Met (Y/N)
Required evidence:
Documented continual improvement process and relevant evidence of continual
improvement activities throughout the organization. Evidence must show the
disciplined methodology used, including process for identifying the strategy for
improvement, defining metrics, gathering, and processing of data and use of data
for improvement decisions. Records of improvement activities must be provided.
6.2 Capacity management processes Category 2
Partner must maintain processes for executing and measuring of their cloud
service operations capacity.
Required evidence:
Documented capacity management process and the associated records.
6.3 Process automation Category 3
Partner must maintain processes for evaluation of activities and identification of
opportunities for their internal service management process automation.
Required evidence:
Records of process evaluation and recommendations for automation of activities
(e.g., LEAN, Six Sigma, Agile Sprint Planning, Monthly/Quarterly business reviews,
etc.).
Change Management: Process of controlling changes to the infrastructure, tools, process, environments, or any aspect of
services, in a controlled manner, enabling approved changes with minimum disruption.
Cloud DevOps ready Application: This type of application has been built with an N-tier or monolithic model, and yet
is still taking advantage of the cloud computing model, using a combination of containers (such as Service Fabric and
Azure Container Service), Azure cloud infrastructure, resilient application techniques, monitoring, continuous delivery,
and DevOps. This is accomplished without re-architecting and recoding the application, rather by migrating to
containers. Refer to the table at this link: https://docs.microsoft.com/dotnet/standard/modernize-with-azure-and-
containers/ for more definition and a compare & contrast to cloud native applications.
Cloud Native Application: This type of application is built and coded with microservices architecture (application
decomposed into loosely coupled and smaller services) and is designed for high-throughput, low latency, mission
critical workloads on Azure. Cloud native apps achieve higher levels of scalability, long-term agility and significant
improvements in deployments, upgrades, versioning, rollbacks, and health monitoring by using microservices
architectures. These are containerized microservices or regular applications based on PaaS on Azure App Service,
Azure Service Fabric, Azure Container Service (that is, Kubernetes). Please refer to the table at this link
https://docs.microsoft.com/dotnet/standard/modernize-with-azure-and-containers/ for more definition and a
compare & contrast to Cloud DevOps ready application.
Configuration Management: The process responsible for maintaining information about Configuration Items (CI)
required for delivering an IT service, including their relationships. This information is managed throughout the lifecycle of
the CI. The primary objective of Configuration Management is to underpin the delivery of IT Services by providing accurate
data to all IT Service Management processes when and where it is needed.
Configuration Management Database: A database used to manage configuration records throughout their lifecycle. The
CMDB records the attributes of each CI, and relationships with other CIs. A CMDB may also contain other information
linked to CI’s, for example: Incident, Problem or Change records. The CMDB is maintained by Configuration Management
and is used by all IT Service Management processes.
Demonstration: A partner will be required to carry out demonstration of live Production and/or Dev/Test Azure
environments as required evidence where specified. Screenshots or pre-recorded video captures will not be acceptable
evidence for submission.
Event Management: The process responsible for monitoring all events that occur through the IT infrastructure. It allows
for normal operation and detects and escalates exception conditions.
Incident Management: The process responsible for managing the lifecycle of all Incidents. The primary objective of
Incident Management is to return the IT service to customers as quickly as possible.
Hypothetical Use Cases: For evidence, if a required Azure Service is not currently being used by an active customer, a use
case / demonstration in a hypothetical customer environment and/or test environment is required to demonstrate
evidence. These provide lesser points than actual evidence cases.
ISO 20000: Service management system (SMS) standard; specifies requirements for Service Providers to plan, establish,
implement, operate, monitor, review, maintain and improve an SMS. Requirements include design, transition, delivery, and
improvement of services to fulfil agreed service requirements.
ISO 22301: Business continuity management system (BCMS) standard; specifies requirements to plan, establish,
implement, operate, monitor, review, maintain and continually improve a documented management system to protect
against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they
arise.
ISO 27001: Information security management system (ISMS) standard; specifies requirements for establishing,
implementing, maintaining, and continually improving an information security management system. Also includes
requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
Knowledge Base: A database containing information about incidents, problems and known errors. The Knowledge Base is
used to match new incidents with historical information, improving resolution times and first-time fix rates.
Net Promoter Score: A customer loyalty index measuring the willingness of customers to recommend a company’s
products or services to others. Used to evaluate customer and brand loyalty.
Presentation: Partners may be required to provide presentations to ISSI auditors, as required evidence to sections
outlined within the audit checklist. Presentations can be in-person or remote and must be delivered in conjunction with
Microsoft PowerPoint or equivalent business productivity applications.
Problem Management: The process responsible for managing the lifecycle of all problems. The primary objectives of
Problem Management are to prevent incidents from happening, and to minimize the impact of incidents that cannot be
prevented. Problem Management includes problem control, error control and proactive problem management.
Process: A series of actions and/or steps taken in order satisfy the specific requirements covered under the required
evidence section each checklist item.
Release Management: The process responsible for planning, scheduling, and controlling the movement of releases to test
and live environments. Release Management works closely with Configuration Management and Change Management.
Service Level Agreement (SLA): A contractual agreement between an IT Service Provider and a customer. The SLA
describes the IT service, documents service level targets, and specifies the responsibilities of the IT Service Provider and
the customer.
Third-Party Service Provider: These are entities including (but not limited to) independent contractors, third party
(solution) applications and/or tooling providers.
FAQ
You can find the FAQ document here.
Throughout
• Removed reference to “onsite” as audits will be held remotely until further notice
Title page:
• Updated version from 1.9 to 2
• Updated effective dates to July 1, 2022 to December 31, 2022
Page 5:
• Added clarification on update cadence for checklist and last day to apply to guarantee auditing against
current checklist
• Added clarification on the first time application process and dates by when audits must be completed
• Added clarification on the renewal application process and dates by when audits must be completed
Page 6:
• Added clarification on audit requirements within application windows
Page 10:
• Added clarification on active CMP customers required
Page 11:
• Added clarification that gap reviews must also be completed within the application window
Page 14:
• Added clarification on the possible outcomes of the audit
• Added clarification on the gap review phase
Audit controls:
Section 1
• 1.1: Positioning and Messaging of your Azure Managed Services: clarified language
• 1.2: Financial Health: clarified that third party credit reporting agencies’ reports can be included in
evidence
• 1.3: Thought Leadership: clarified language
• 1.4: Succession Planning: clarified language
• 1.5: Personnel Training (previously 4.5): move to section 1 from section 4
• 1.6: Offer Development: was previously 1.5, clarified language
• 1.7: Sales Support Materials: was previously 1.6, simplified list of materials
• 1.8: Partner Cloud Center of Excellence (CCoE): clarified required evidence as including customer
facing materials, removed reference to other controls.
Section 2
• 2.1
o Clarified preference for showing Azure services customer
Section 3
• Moved into Module 3A: 3.1: Strategy; 3.2: Plan; 3.3: Environmental readiness and Azure landing zone;
3.5.3: Governance Implementation; 3.6.1: Operations baseline
o Moved all five controls into a section called Module 3A. Module controls overlap with controls in
Module A for advanced specializations. If a partner has passed advanced specialization Module
A as part of an advanced specialization audit, the partner no longer needs to take those controls
as part of the AEMSP audit.
o 3A.3 (previously 3.3) Azure Landing Zone: replaced language in control to match language used
in the advanced specialization Module A
o 3.A.4 (previously 3.5.3 Governance Implementation): clarified that the three governance
disciplines selected by the partner to show in evidence can be repeated across both projects
shown in evidence.
• All other controls in section 3 move into Module 3B
o 3.4.2: IaaS, PaaS & SaaS Demonstration: removed control
o 3B.1.3 (Previously 3.4.4) Cloud Migration Practice for Azure: clarified that customer case
studies must be unique
o 3B.1.5 (Previously 3.4.6): Database Migration: clarified that evidence should be from four
unique projects from a minimum of two customers.
o 3B.1.6 (Previously 3.4.7): Application Migration: clarified that evidence can come from any
one of the five provided migration scenarios
o 3B.2.2 (Previously 3.5.2): Governance Minimal Viable Product: added description of control,
clarified required evidence language
o 3B.2.3 (Previously 3.5.4) Information security policies and procedures: added ISO27001 as
an option for qualified review and testing evidence
o 3B.2.4 (Previously 3.5.5): Review and Testing of Partner Information Security Policies and
Procedures: clarified that control is referring to partner’s information security policies and
procedures; added ISO27001 as an option for qualified review and testing evidence
o 3.5.6: User Account Provisioning: removed control
o 3B.3.1 (Previously 3.6.2): Enhance baseline: clarified that evidence must be shown for 2
customers in order to prove enhanced baseline
o 3B.3.3 (Previously 3.6.4): Operations management offer alignment: clarified language
o 3B.3.4 (Previously 3.6.5): Operations and transition support: renamed control, removed
third bullet under required evidence
Section 4
• 4.5: Personnel Training: moved to section 1 to simplify order of audit
• 4.15: Integrated Monitoring Tools: removed control
Section 5
• 5.2 SLA Management: combined components of controls 5.2 and 5.3
• 5.3: Service Level Compliance: removed control
• 5.4: Customer Satisfaction: became control 5.3
• 5.5: Workload Optimization Tools: removed control
• 5.6: Service Level Measurement & Performance: clarified became control 5.4
Section 6
• 6.1 Continual Improvement: Combined components of controls 6.1 and 6.2
• 6.2 Data Collection and Analysis Records Management: removed control
• 6.3 Capacity Management Processes: clarified language, became controls 6.2
• 6.4 Process Automation: clarified language, became controls 6.3