DevOps with GitHub on Microsoft Azure

Advanced Specialization
Program guide, audit checklist, and FAQ

Valid July 8, 2021 – December 31, 2021

Version 1.0
Contents

DevOps with GitHub on Microsoft Azure advanced specialization .......................................................... 3

Application phases ...................................................................................................................... 5
Audit checklists ................................................................................................................................. 8
Payment terms and conditions ...................................................................................................... 17
Pricing schedule ......................................................................................................................... 17
Payment terms ........................................................................................................................... 18
Roles ........................................................................................................................................... 18
Partner FAQ: Audit ......................................................................................................................... 20
Partner FAQ: Advanced specialization overview .......................................................................... 24

2
DevOps with GitHub on Microsoft Azure
advanced specialization

Program Overview
As the speed of business accelerates, your customers are looking for better, faster, smarter ways to
develop and deploy software and automated processes. They're moving away from traditional waterfall
development and embracing iterative development and delivery tools that help shorten time to market.
The DevOps with GitHub on Microsoft Azure advanced specialization differentiates your organization and
showcase your proven ability to implement secure DevOps practices while using Azure and GitHub.

The DevOps with GitHub on Microsoft Azure advanced specialization allows partners with an active Gold
Cloud Platform competency to further differentiate their organizations, demonstrate their capabilities, and
build stronger connections with customers.

After partners earn an advanced specialization, they will have a customer-facing label displayed on their
business profile, gain access to specific go-to-market programs, and be prioritized in customer searches in
the Microsoft Partner Directory. For these reasons, this opportunity is available only to partners that meet
additional, stringent requirements.

This document defines the requirements to earn the DevOps with GitHub on Microsoft Azure advanced
specialization. It also provides further requirements, guidelines, and an audit checklist for the associated
audit that is required to earn this advanced specialization.

Program status term

When a partner meets all prerequisite requirements shown in Partner Center and Microsoft receives a
valid Pass Report from the third-party audit company, the partner will be awarded the DevOps with
GitHub on Microsoft Azure advanced specialization for one (1) calendar year.

The status and the DevOps with GitHub on Microsoft Azure advanced specialization label can be used
only by the organization (determined by Partner Center MPN PGA ID account) and any associated
locations (determined by MPN PLA ID) that met all requirements and passed the audit. Any subsidiary or
affiliated organizations represented by separate Partner Center accounts (MPN PGA ID) may not advertise
the status or display the associated label.

Audit information
The audit checklist will be updated to stay current with technology and market changes. The audit will be
conducted by an independent, third-party auditor.

Partners may apply for the audit only after all other program requirements have been fully met. Partners
must complete the audit within thirty (30) calendar days of the audit application, and they must complete
it against the then-current program requirements.

Partners will be awarded a Pass or No Pass result upon completion of the audit process, including if they

3
withdraw from the audit process. The Pass result is valid for one (1) calendar year.

Partners that receive a No Pass result will be locked out of reapplying for six (6) months. They may reapply
to be audited again at the end of this period, provided that they still meet all other program
requirements.

Renewing the advanced specialization

Partners must renew annually by meeting the requirements that are current at the time of their renewal.
The requirements will be published in Partner Center.

How to apply

Only administrators of an organization’s Microsoft partner account can submit an application for the
advanced specialization on behalf of the organization.

Partners with the appropriate role and access permissions can apply. To do so, they sign into their
Partner Center account. On the left pane, select Competencies, and then select Adv. Specialization.

4
Application phases

Step Action Responsibility

1 Review requirements in Partner Center. Partner

In the initial application phase, applications are submitted in two stages:

1. Prerequisite requirements
2. Audit

Recommended: Before you begin, review the audit checklist thoroughly. Do

not start the application process unless you are ready to undertake the
audit. Assess your ability to complete the audit, including considerations for
readiness, employee availability, and holidays.

2 Validate that the partner meets all requirements prior to audit. Microsoft

3 Confirm to the third-party audit company that the partner is eligible for Microsoft
audit.

4 Schedule and confirm audit within two (2) business days. Auditor (with
partner)

5 Conduct the audit within thirty (30) calendar days of the approval for audit. Auditor

6 Provide a Gap Report to the partner within two (2) business days of the Auditor
completed audit, listing any Open Action Items.*

7 Within two (2) business days of receiving the Gap Report, the partner Partner
acknowledges receipt of the report and schedules a Gap Review
Meeting.

8 Within fifteen (15) calendar days of receiving the Gap Report, the partner Auditor (with
schedules the Gap Review Meeting with the auditor to provide partner)
evidence and address any Open Action Items.*

9 Issue Final Report to the partner. Auditor

Notify Microsoft of audit Pass or No Pass result.

10 Notify the partner about program status. Microsoft

* These steps will be skipped if the partner has no Open Action Items after the audit.

Meet the prerequisite requirements

Applications for Azure advanced specializations are submitted in two phases. In the first phase, the
partner must meet the prerequisite requirements in Partner Center.

5
Schedule your audit
Partners that meet all program prerequisites may apply for an audit in Partner Center by selecting
schedule audit. We recommend that partners first review the audit checklist in detail before applying for
the audit. Each partner must assess their ability to complete the audit, including considerations for
readiness, employee availability, and holidays. After a partner applies for the audit, it must be scheduled
and completed within thirty (30) calendar days. Failure to complete the audit in this time will result in an
automatic No Pass report, which is entered into Partner Center as Audit Failed.

After the partner applies to schedule the audit, Partner Center will issue an automated message that
connects the partner to ISSI. The partners will receive a communication from ISSI asking them to propose
dates for their audit.

The audit company will make every effort to accommodate the partner’s requested audit date and will
attempt to schedule an auditor in the region closest to the remote audit location. After the date and
auditor are confirmed, the partner will be given a detailed confirmation of the audit day.

* Please note that there is a cost associated with the audit. See Payment Terms and Conditions.

The audit phase

Microsoft uses an independent, third-party audit company, Information Security Systems International,
LLC (ISSI), to schedule and conduct advanced specialization audits.

Prior to the audit, partners are expected to have undertaken a thorough review of the audit checklist,
compiled all required evidence, and ensured that the right subject matter experts (SMEs) are available to
present that evidence.

After the audit date has been confirmed, ISSI will provide an agenda to the partner. During the audit, the
partner must provide access to the appropriate personnel who can discuss and disclose evidence that
demonstrates compliance with program requirements. We highly recommend that subject matter experts
for each section attend.

On the day of the audit, the partner must be prepared to provide the auditor with access to live
demonstrations, documents, and personnel, as necessary to demonstrate compliance with the
requirements.

During the audit, the auditor will seek to verify that the partner’s evidence has addressed all required
audit checklist items satisfactorily.

The audit can produce either of two outcomes:

1. The partner passes the audit.

• The auditor will present a brief synopsis of the audit. This will include identifying observed
strengths and opportunities for improvement.

• The auditor will provide a Final Report to the partner.

• The auditor will notify Microsoft.

2. The partner does not satisfy all checklist items during the audit.

6
 • The auditor will present a brief synopsis of the audit at the end of the day, including observed
strengths and Open Action Items, as outlined in the Gap Report, within two (2) business days.

• The partner will acknowledge receipt of the Gap Report within two (2) business days.

• The partner will move into the Gap Review phase and schedule their Gap Review Meeting
within fifteen (15) calendar days.

The Gap Review

If the partner does not, to the auditor’s satisfaction, provide evidence that meets the required scores
across all audit categories during the audit, the partner will move into a Gap Review. A Gap Review is part
of the audit and completes the process.

Within two (2) business days after the audit, the partner will receive a Gap Report, which details any
Open Action Items and the outstanding required evidence. The partner then has two (2) business days
to acknowledge receipt of the Gap Report and schedule a Gap Review Meeting. The Gap Review
Meeting is conducted with the auditor over the partner’s virtual conference platform of choice. The
meeting must take place within fifteen (15) calendar days of when the Gap Report was sent, and it may
last no longer than one (1) hour. During the Gap Review Meeting the partner must present evidence
that addresses any and all Open Action Items.

The Gap Review Meeting can produce either of two outcomes:

1. The partner resolves all Open Action Items.

• The auditor confirms that the partner has provided the required evidence.
• The auditor provides a Final Report to the partner.
• The auditor notifies Microsoft about the outcome (subject to Auditor Terms and Conditions).

2. The partner does not resolve all Open Action Items.

• The auditor presents a brief synopsis of the audit, including missed items.
• The partner receives a Final Report that details the missed items.
• The auditor notifies Microsoft about the outcome (subject to Auditor Terms and Conditions).

If the partner is still unable to provide satisfactory evidence to the auditor during their Gap Review
Meeting, the partner will be deemed to have failed the audit. Partners that still want to earn this advanced
specialization will need to begin the application process again.

Completion of the audit

The audit process concludes when ISSI issues the Final Report after the audit or after the Gap Review.

Preparing for the audit: Optional ISSI consulting offers

ISSI provides optional extensive, in-depth consulting engagements to help partners prepare for their
Azure advanced specialization audit. Partners can work directly with ISSI to schedule this remote session
(via online web conference). For more information about this type of in-depth engagement, see Azure
Advanced Specializations - Consulting Offer.

Alternatively, partners can participate in an optional, one-hour, live audit preparation overview session

7
provided by ISSI. This session provides a high-level overview of key aspects of the advanced specialization
audit process. The session includes a discussion of the checklist requirements along with best practices to
help partners prepare for the audit. Partners work directly with ISSI to schedule this remote session (via
online web conference). For more information about this session, see Azure Advanced Specializations -
Audit Preparation Overview.

To ensure objectivity, audits are conducted by a different ISSI auditor than the one that is engaged for
consulting. Consulting engagements can be scheduled at any time using the partner’s preferred
conferencing platform.

* Please note that there is a cost associated with the consulting and audit preparations services. See
Payment Terms and Conditions.

Audit checklists
The DevOps with GitHub on Microsoft Azure advanced specialization audit checklist contains two (2)
modules, Cloud Foundation and DevOps with GitHub on Microsoft Azure. Module A: The Cloud
Foundation module evaluates the use of a consistent methodology and process for Azure adoption that is
aligned with customers’ expected outcomes, spanning the entire cloud adoption lifecycle. Module B: The
DevOps with GitHub on Microsoft Azure module validates that the partner has adopted robust processes
to ensure customer success across all phases of deploying DevOps solutions, from the assessment phase
to design, pilot, implementation, and post-implementation phases.

Review the following audit checklist table for more details about each control phase and to learn how the
partner will be evaluated for an audit.

Module A: Cloud Foundation

1. Strategy
2. Plan
3. Environment readiness and Azure landing zone
4. Governance
5. Manage

Module B: DevOps with GitHub on Microsoft Azure

1. DevOps Consulting Practice
2. Assess
3. Design
4. Delivery
5. Review and release for operations

To pass the audit, the partner must complete all audit checklist items.

Module A: Cloud Foundation is required for multiple Azure advance specializations. To complete
Module A: Cloud Foundation, the partner needs to pass all controls in Module A by providing the
specified evidence. Alternatively, the partner may present evidence of a previous pass result from
Module A or from another advanced specialization audit conducted on V 2.0 or later.

8
Module B: DevOps with GitHub on Microsoft Azure. Each control has one (1) or more requirements
and required evidence the partner must provide for the auditor. Both the requirements and the
required evidence are defined in the following tables. For some controls, a reference customer or
customer evidence is the documentation requested.
Unless otherwise stated, the partner must show at least three (3) unique customers with deployments
completed within the last twelve (12) months.

The partner can use the same customer across audit checklist controls, or they can use a different
customer. For audit evidence relating to customer engagements, the partner can use a customer case
study and reference it multiple times.

Module A: Cloud Foundation

1.0 Strategy

The partner must have a defined approach for helping their customer evaluate and define a cloud adoption
strategy beyond an individual asset (app, VM, or data).

Partner roles required

Solution Architect, Data Architect

Requirement
1.1 The partner must have a process that captures the data-driven business strategies being used to
guide customer decisions. Their process should include, at minimum, the following:

• A strategy review for capturing the customer’s business needs and/or problems the
customer is trying to solve.

Required evidence:
A report, presentation, or document that captures strategic inputs and decisions for two (2) unique
customers, with projects completed in the past twelve (12) months that are aligned with the
process. For an example, see the Strategy and plan template in the Cloud Adoption Framework for
Azure.

2.0 Plan

The partner must have a consistent approach to planning for cloud adoption that is based on the strategy outlined
in the preceding section.

Partner roles required

Project Manager, Solution Architect, Data Architect

Requirement
2.1 The partner must have a process and approach for planning and tracking the completion of cloud
adoption projects. For an example of a cloud adoption plan, see the Azure DevOps Demo Generator
for the Cloud Adoption Framework.

Required evidence:
The partner must provide evidence of their capability with examples of two (2) unique customers,

9
 with projects that were completed in the past twelve (12) months. Acceptable evidence must
include at leastone (1) of the following:

• Cloud Adoption Plan Generator output

• Azure DevOps backlog
• Any other tools for project planning and tracking

3.0 Environment readiness and Azure landing zone

The partner must be able to demonstrate that the following design areas are addressed through their approach to
landing zone implementation.

Partner roles required

Platform Architect, Solution Architect

Requirement
3.1 Repeatable deployment
The partner must demonstrate adherence to Azure landing zone design areas through a
repeatable deployment. The deployment should configure, at minimum, the following identity,
network, and resource organization attributes:

• Identity
o Adoption of identity management solutions, such as Azure Active Directory or
equivalent

• Networking architecture design (topology)

o Adherence to the guidance in Review your network options
o Application of hybrid architectures that use Azure ExpressRoute, VPN Gateway, or
equivalent services for connecting local datacenters to Azure

• Resource organization
o Implementation of tagging and naming standards during the project

The partner should be able to demonstrate which of the following deployment velocity
approaches they use when they deploy Azure landing zones:

• Start small and expand: Azure landing zone does not deploy governance or operations
configurations, which are addressed later in the implementation.

• Enterprise-scale: Azure landing zones implement a standard approach to the

configuration of governance and operations tools prior to implementation.

• Alternative approach: If the partner follows a proprietary approach or a mixture of the

two (2) approaches above, they must clearly articulate their approach to environment
configuration.

Required evidence:
The partner must provide evidence of a repeatable deployment they use to create landing zones
that they have deployed to two (2) unique customer environments by using Azure Blueprints,
ARM templates, Terraform modules, or equivalent tools to automatically deploy the environment

10
 configuration.

The provided template can be pulled directly from the provided implementation options, or it
can be based on the partner’s own IP. In either case, the script must demonstrate the
configuration of the identity, network, and resource organization, as described earlier.

4.0 Governance

The partner must demonstrate their customer’s role in governing cloud-based solutions and the Azure tools they
use to facilitate any government requirements their customer might have today or in the future.

Partner roles required

Platform Architect, Solution Architect, Data Architect

Requirement
4.1 Governance tooling
The partner must demonstrate the ability to deploy the required governance tools for two
(2)unique customer projects.

Required evidence:
The partner must demonstrate the use of Azure Policy or equivalent tool to provide controls to
govern the environment for two (2) unique customers with projects that were completed in the
pasttwelve (12) months.

5.0 Manage

The partner must demonstrate that they have set up their customer for operational success after the deployment is
completed. All partners have a role in setting up operations management, even if they do not provide long-term
managed services.

Partner roles required

Platform Architect, Solution Architect, Data Architect

Requirement

5.1 Operations management tooling

The partner must demonstrate the use of Azure products or equivalent to help their customer and/or
managed service provider operate the environment after deployment.

Required evidence:
The partner must demonstrate the deployment of at least one (1) of the following Azure products or
third-party equivalents: Azure Monitor, Azure Security Center, Azure Automation, or Azure Backup/Site
Recovery, for two (2) unique customers with projects that were completed in the past twelve (12)
months.

11
Module B: DevOps with GitHub on Microsoft Azure

1.0 DevOps Consulting Practice

The partner must have a robust DevOps consulting practice.

Partner roles required

Solution Architect, DevOps consultants - formed as part of a dedicated DevOps practice with Azure using GitHub

Requirement

1.1 DevOps Consulting Practice

Partner must provide evidence of a mature DevOps consulting practice. Evidence must include:
• Public web page explaining partner’s offering for DevOps on Azure using GitHub
• Documented process for integrating DevOps practices and tools for customer projects and
solutions
• Clear DevOps practice charter and responsibilities
• Agile approach, standard methodology and framework to assess customer challenges which is
reusable across multiple customer assessment engagements
• Guidance on standardized tools, processes and governance model for complete DevOps
lifecycle like project management , asset organization, CI/CD, testing
• Best practices and reusable IP to have consistent build quality and efficiency including DevOps
environment setup scripts, standard templates to deploy infrastructure as code,
• Readiness plan for DevOps implementation
• Dedicated team with diverse DevOps expertise, (e.g. Infrastructure as Code, Azure DevOps,
GitHub, Security, DataOps, ML Ops, Monitoring)
• Documentation of DevOps offerings, accelerators, advisory services, etc.
• DevOps consulting services offerings. For example, the top services offered are architectural
review and guidance, followed by cost management and defining operations and
management standards
• DevOps presales support

Required evidence:
The partner must demonstrate a documented approach for implementing DevOps for three (3)
customerswith completed projects using Azure and GitHub within the last twelve (12) months.

Partner must provide each of the following documents:

• A Practice charter document with clearly documented execution model and success criteria

• Organization documentation with dedicated Core Team/Architects and at least three (3)
DevOpsconsultants

• A DevOps Readiness plan and roadmap for customers

And two (2) items from the list below:

• A Documented DevOps process and standardized reference architecture guidelines (aligned

to WAF).

• Customer assessment plan, for example: Assets like questionnaire, Assessment worksheets
templates

12
 • Defined Governance Model document

• Change control process document

• Offering or Accelerator for customer DevOps adoption and execution (minimum one (1)
offering)

• GTM strategy documents

• SOWs

• DevOps Knowledge repository

2.0 Assess

The partner must have a consistent approach to assessing customer requirements for the workload.

Partner roles required

Solution Architect, DevOps Consultant

Requirement

2.1 Environment assessment

The partner must demonstrate how they assess customer’s DevOps maturity. The assessment must
include:
• DevOps best practices, DevSecOps and related assets to enable

• Current state assessment and capability/Maturity assessment model

• Target state definition

• Business plan template

• Workshop template

• Execution plan (sprint or other methodology)

• CI/CD Pipelines

• SecOps

• Test Cases

• Assessment/Approval Gates at each state

• Infrastructure as Code (Automated deployment of Environment/Infrastructure using tools like

GitHub Actions/DevOps pipelines with proper policies and controls in place)

Required evidence:
The partner should provide relevant documents showing that the preceding items were reviewed for
one (1) customer with a DevOps on Azure project completed within the last twelve (12) months. The
evidence mustshow that all assessment details were considered for those customers. Assessments may
be done manually or through an industry-accepted assessment tool.

Accepted documentation: assessment checklists, templates, questionnaires, or project plans.

13
3.0 Design

The partner has robust methodologies for designing the workload.

Partner roles required

Solution Architect, DevOps Consultant

Requirement

3.1 Solution design

The partner must provide solution designs showing a consistent approach that addresses the customer
requirements that were captured from the assessment phase and a plan for DevOps adoption.

Plan should include:

• Adoption and migration plans for GitHub
• Inner Source configuration and adoption
• Shift-left considerations for application security
• Automation of build, test, and deployment
• DevOps monitoring
• Infrastructure as code and automated provisioning

The solution design must demonstrate:

• Current DevOps and source code state:

 Existing tools for managing code and automation

 Basic practices for managing and building/deploying/provisioning

 Related DevOps systems integrations

• Migration or modernization approach:

 Relationships between existing systems/tools and proposed DevOps environments

 Tools and practices to migrate/modernize the DevOps environments

• Proposed DevOps automation for application code including:

 Automated build and packaging tools and practices

 Automated or Shift-left application security including Software Composition Analysis

and Static or Variant Code Analysis

 Automated deployment to Azure environment(s)

• Proposed Infrastructure-as-code management (as appropriate)

 Code management practices for ARM Templates, Terraform or other Azure-

compliant Infrastructure as Code

 Automated compliance checks (e.g., Azure Policy),

14
  Automated provisioning in both pre-production and production environments

• Code security and sharing

 Categorization of target code bases describing access restrictions

 Roles and permissions describing who can access, modify and/or maintain
differentcodebases

 Pull-request or similar workflow describing how code quality and

compliance will be verified

 Branch Protections/Policies used to ensure compliant code workflows

• Learning and DevOps feedback loop

 Monitoring and logging in operational systems (e.g., Azure Monitor,

ApplicationInsights, etc.)

 Tools and practices providing developers/engineers access to

operational datafor troubleshooting and maintenance activities

Required evidence:
The partner should provide relevant solution design documents that address the preceding points as
appropriate, for at least three (3) unique customers with DevOps with GitHub on Azure projects that
were completed within the past twelve (12) months.

Acceptable documentation: Design document, project plan, functional specifications, architectural

diagram, automated tooling reports, and physical and logical diagrams.

3.2 Well-Architected Review of workloads

The partner must demonstrate the use of an Azure Well-Architected Review on workloads or
applications in Azure.

The Well-Architected Review is designed to help partners evaluate their customers' workloads against
the latest set of industry best practices. It provides actionable guidance to design and improve those
workloads. The review can be used to evaluate each workload against the pillars of the Azure Well-
Architected Framework that might apply to that workload.

Required evidence:
The partner must provide exported results from the completed Well-Architected Review, using the
assessments in the review for at least three (3) workloads or applications running in Azure that
were completed within the last twelve (12) months, indicating the customer's name. All five pillars
of the Well-Architected Review should be completed, otherwise the partner must provide
justification for an exception. The three (3) workloads can come from one (1) or more customers.

15
4.0 Delivery

The partner has robust methodologies for implementing GitHub and Azure in DevOps engagements.

Partner roles required

Solution Architect, DevOps Consultant

Requirement

4.1 Delivery
The partner must provide evidence of their ability to embed GitHub into DevOps engagements.

Required evidence:
The partner must provide documentation for three (3) unique customers with engagements involving
DevOps that were completed within the last twelve (12) months.

Selected engagements must comply with the following criteria:

• All three (3) engagements must use Git repositories to store engagement assets (e.g.,
application code, scripts, ML models, etc.), with at least one (1) engagement using GitHub
Enterprise (Cloud, Server or AE)

• All three (3) engagements implement continuous integration or similar automated build
strategy using GitHub Actions, Azure Pipelines, Jenkins, or CircleCI, with at least one (1)
engagement usingGitHub Actions

• At least one (1) engagement automatically performs code analysis to improve code security
and/or quality leveraging GitHub Advanced Security, SonarQube, SonarCloud, OWASP,
Veracode, Fortify, Parasoft, and/or Coverity, with at least one (1) engagement leveraging
GitHubAdvanced Security

• At least one (1) engagement protects branch code quality and compliance using GitHub
BranchProtections (GitHub)

• At least one (1) engagement automatically publishes reusable artifacts to an appropriate

registry,including GitHub Packages, GitHub Containers, Azure Artifacts, Azure Container
Registry, Artifactory, npmjs.com, nuget.org, pypi.org etc.

• At least one (1) engagement leverages the GitHub dependency graph and
Dependabot to identify and remediate open-source vulnerabilities

• At least one (1) engagement provisions environments in Azure through GitHub Actions
usingARM Templates, Terraform, or Ansible.

To cover the entire sequence of the engagement, including design and production deployment, the
documentation must include at least two (2) of the following:

• Signed statements of work (SOWs) for all engagements

• Solution design documents for all engagements
• Project plan and migration/deployment sequence
• Architecture diagrams
• As-built documentation

16
 5.0 Review and release for operations

The partner has robust methodologies for transitioning the workload.

Partner roles required

Solution Architect, DevOps Consultant

Requirement

5.1 Service validation and testing

The partner must validate the deployment, including:

• Demonstrating a process and approach to testing and evaluating the performance of all
applications against customer expectations and Azure best practices.
• Demonstrating a process and approach to evaluating and improving architectural best
practices to remediate issues with migrated platforms or workloads that do not meet
performance or cost expectations.

Required evidence:
Documentation of the testing, validation, and performance evaluation that addresses the preceding
points for three (3) unique customers with DevOps projects that were completed in the past twelve (12)
months.The documentation must indicate that the implemented solution met customer expectations,
and it must include a sign-off from the customer.

5.2 Post-deployment documentation

The partner must provide post-deployment documentation to show that their customers are
successfully leveraging the DevOps solution.

Post-deployment documentation must include:

• Updated design documentation reflecting the “as-built” DevOps implementation
• Measurements or appropriate KPIs showing the performance of the solution (e.g., Cycle Time,
Lead Time and/or similar process performance metrics)
• Post-deployment guidelines and recommendations for ongoing migration, adoption and
improvements.

Required evidence:
Documentation that addresses the preceding points for three (3) unique customers with DevOps
withGitHub on Azure projects that were completed in the last twelve (12) months

Payment terms and conditions

Pricing schedule
• For audits comprised of both modules A and B, the audit fee is $3,000 USD
• For audits comprised of module B alone (available for partners who previously passed module
A), the fee is $2,000 USD

Gap Review Meeting: included in audit cost

17
Payment terms
The cost of the audit is payable in full to the audit company and must be settled before the audit begins.
Failure to pay will result in cancellation of the audit.

Roles
Role of the auditor
The auditor reviews submitted evidence and objectively assesses whether the evidence provided by the
partner satisfies the audit checklist requirements.

The auditor selects and evaluates evidence, based on samples of the information available from live
systems. The appropriate use of such sampling is closely related to the confidence that can be placed in
the audit conclusions.

All ISSI auditors are under a non-disclosure agreement (NDA) with Microsoft. Auditors will also comply
with requests from partners to sign a direct NDA.

Role of the partner

The partner must provide objective evidence that satisfies the auditor for all checklist items. It is the
responsibility of the partner to have reviewed all checklist items prior to the audit, to have collated all
necessary documentation and evidence, and to have ensured that the right subject matter experts are
available to discuss and show systems, as appropriate.

All audit evidence must be reproducible and verifiable.

Role of the Microsoft Partner Development Manager

For partners that have an assigned Microsoft Partner Development Manager (PDM), the PDM is
responsible for ensuring that the partner fully understands the requirements prior to applying for the
audit. The PDM may attend the optional consulting engagements that ISSI offers, but the PDM may not
attend the audit.

18
Glossary

ISSI consulting and audit preparation offers

Consulting engagements offered by ISSI to help partners prepare for Azure advanced specialization
audits. ISSI offers optional extensive in-depth consulting engagements and one-hour live sessions. Please
note that there is a cost associated with the consulting and audit preparations services provided by ISSI.

Audit
A half to full-day audit that is carried out remotely by a qualified ISSI auditor. During the audit, a partner
must present evidence of having completed 100 percent of the audit checklist items.

Open action item

If the auditor deems that the partner has failed to present the required evidence for an audit checklist
section during the audit, the missing evidence is recorded as an Open Action Item in the Gap Report.

Gap report
Open Action Items are listed in the Gap Report, which is sent to partners within two (2) business days
after their audit. The Gap Report details all Open Action Items and the evidence that is still required.
Partners have two (2) business days to acknowledge receipt of the report and to schedule a Gap Review
Meeting.

Gap review meeting

A Gap Review Meeting must take place within fifteen (15) calendar days of the issuance of the Gap
Report. Partners that receive a Gap Report must address and close the Open Action Items via the Gap
ReviewMeeting. The Gap Review Meeting is conducted by the auditor over Skype, and it may not exceed
one (1)hour.

Missed Item
If the auditor deems that the partner has failed to present the required evidence for an audit checklist
item during the Gap Review Meeting, this failure is recorded as a Missed Item and is included in the Final
Report.

Final Report
A Final Report is provided to partners that discusses whether they have earned a Pass or No Pass in the
audit. A Final Report showing a Pass can be issued at the end of either the audit or the Gap Review
Meeting. A Final Report showing a No Pass will be issued after the Gap Review Meeting. If a partner
chooses not to proceed to a Gap Review Meeting or fails to acknowledge receipt of the Gap Report, a
Final Report showing a No Pass result will be issued within five business days.

19
Partner FAQ: Audit
Program contact information
If you have a question that we have not answered in this document, contact Partner Center support.

Who can participate?

The program is open to any members of the Microsoft Partner Network program who can meet the
program requirements and pass the audit.

Is there a cost to participate?

Microsoft does not charge a program fee. However, there are direct costs associated with the following
requirements:

• Gold Cloud Platform competency

• Microsoft and third-party certifications
• Audit

In addition, there are indirect costs associated with preparation for the audit.

How much time and how many resources (people) do we need to commit to meeting the
requirements?
The amount of time it takes to meet all requirements and pass the audit varies greatly. It depends on how
many of your current employees already have the required Azure skills, whether they have documented
customer wins, and how you document your people, technology, and processes.

Important notes
Do not apply for the program until you have met all the program requirements prior to the audit. Be sure
you have thoroughly reviewed the audit requirements and are confident you can satisfy them.

Take note of the active dates for the audit checklist. Partners are audited against the checklist items that
are active on the date of their half to full-day remote audit. The original application date has no bearing
on the version of the checklist that is used for the audit.

20
In which languages are the audits conducted?
• English
• Portuguese
• Spanish
• French
• German
• Italian
• Serbian
• Croatian
• Russian
• Hebrew
• Mandarin
• Japanese
• Korean
• Arabic

Is the audit conducted under a nondisclosure agreement?

All ISSI auditors are under a nondisclosure agreement (NDA) with Microsoft. Auditors must also comply
with requests from partners to sign a direct NDA.

21
How is the audit scored?
The partner score for the audit checklist is based on the checklist controls. To pass the audit, partners
must complete all sections in each control area. They must provide adequate evidence to demonstrate the
existence, effectiveness, and efficiency of their processes, policies, procedures, and tooling against each
checklist item.

What if I meet only some of the requirements?

Because this is an advanced specialization and an opportunity to truly differentiate your business, we
expect partners to demonstrate that they meet each of the controls by providing evidence that satisfies all
requirements.

What happens if I don’t pass the audit outright?

At the conclusion of the audit process, the auditor will issue a Final Report to the partner and notify
Microsoft of the pass or no pass result. Partners that receive a no pass result may reapply for the
advanced specialization in six (6) months. Partners that withdraw from the audit process without
completingthe audit may submit a ticket through Partner Center support to request that their status be
reset to NotEnrolled, which enables them to reapply.

Audit process
Who conducts the audit?
The audit is carried out on behalf of Microsoft by an independent, third-party auditor, appointed by
Microsoft. The audit company is Information Security Systems International (ISSI).

Can I contact the auditor to schedule the audit before I apply or as soon as I apply?
No. The audit company, ISSI, cannot schedule your audit until it receives an official notification from
Microsoft. Microsoft will issue the notification only after you have shown that you meet all program
requirements and you have applied for an audit by selecting “schedule audit” from the Partner Center
dashboard. ISSI will reach out to you to begin the scheduling process within one to two (1-2) business days.

22
How long does the audit take?
The remote audit takes about a half to a full-day. However, significant preparation is required to be audit-
ready. We recommend that you read the audit checklist thoroughly and, to streamline your preparation,
consider the consulting and audit preparation overview offered by ISSI.

What is the difference between the audit and the consulting and audit preparation?
Consulting and the Audit Preparation Overview are optional and conducted by the third-party audit
company, ISSI. The purpose is to help partners prepare for the audit.

To ensure objectivity, audit preparation consulting is conducted by someone other than your assigned
remote auditor. You can schedule consulting engagements at any time by using your preferred
conferencing platform.

Are the consulting and audit preparation mandatory?

No, the consulting and Audit Preparation Overview are optional. However, we do recommend that you
opt for the consulting and audit preparation, because it can help ensure that you are more prepared for
the audit.

23
Partner FAQ: Advanced specialization overview
What is an advanced specialization?
An advanced specialization is an extensive validation of a partner’s capability to deliver high-fidelity
services in a specific solution area. Advanced specializations are customer-facing labels displayed on a
partner’s business profile. They are used in our customer referral engine to allow partners to showcase
their differentiated capabilities in a specific solution area. To earn an advanced specialization, partners
must first hold gold competency status in an aligned competency.

How is an advanced specialization different from a competency?

A competency measures a partner’s broad technical capability in a Microsoft product or technology. An
advanced specialization measures more in-depth capabilities in a specific solution area, such as Analytics
on Microsoft Azure. Advanced specializations require that a partner first have active gold competency
status in the competency that is aligned to the advanced specialization they are interested in earning.

Does a partner need a competency to earn an advanced specialization?

Yes. Advanced specializations can be earned only by partners with an aligned, active gold competency.
For example, to earn the Analytics on Microsoft Azure advanced specialization, partners must first have a
Gold Cloud Platform competency.

What advanced specializations are available to partners?

Certain competencies have different advanced specializations available to them. For details on all available
advanced specializations, go to the advanced specializations site.

Why would a partner want to get an advanced specialization?

With an advanced specialization, partners can differentiate their capabilities to customers that are looking
for partners to help them with a business need. Partners with an advanced specialization are listed first in
Partner Finder, a Microsoft-owned, customer-facing tool. Advanced specializations are also indicated on a
partner’s business profile alongside their competency status.

What are the benefits of an advanced specialization?

Partners with an advanced specialization are listed first in Partner Finder, a Microsoft-owned, customer-
facing tool. Advanced specializations are also indicated on a partner’s business profile alongside their
competency status.

How does a partner earn an advanced specialization?

Each advanced specialization has a set of requirements that a partner must meet. The criteria depend on
the advanced specialization the partner is seeking, but they can include performance requirements,
exams, customer evidence, and third-party certification, among others. For detailed criteria for individual
advanced specializations, go to your Partner Center dashboard. Advanced specializations are not available
in PMC.

24
Can a partner have more than one advanced specialization?
Yes, if you qualify, you can earn as many advanced specializations as you choose. Earning additional
advanced specializations will increase your visibility to customers in the Partner Finder tool.

Is a partner’s advanced specialization global or local?

It depends on how your company has set up your account. If your company has one (1) global account
(Partner Center MPN PGA ID), your advanced specialization is assessed and awarded at the global level. If
you have set up multiple Partner Center accounts (MPN PGA ID) to represent different divisions, countries,
subsidiaries etc., only the account that earned the advanced specialization will be awarded it.

Is there a cost associated with the advanced specialization?

Microsoft does not charge a program fee. However, there are direct costs associated with the following
requirements:

• Gold Cloud Platform competency

• Microsoft certifications
• The audit, optional ISSI consulting and audit preparation, and third-party certifications

In addition, there are indirect costs associated with preparation for the audit, including audit preparation
hours.

How long do partners keep their advanced specialization?

Your advanced specialization will remain in place for one (1) year, but it requires that you maintain an
activegold competency defined in the advanced specialization requirements. If you do not maintain your
Goldcompetency, you will lose your advanced specialization status. On your renewal date, you will need
to meet the then-current requirements. Requirements may evolve over time.

When do partners renew the advanced specialization?

On the anniversary date of earning the advanced specialization.

How does my company renew its advanced specialization?

Partners will need to renew against the then-current published requirements at the time of their renewal.

Do partners need to requalify for the advanced specialization after a specific period of time?
Yes. Partners must meet the requirements each year. You should expect the requirements to evolve year
over year, to best meet the needs of customers. Partners will be expected to undergo an annual audit as
part of the renewal process.

What happens to the advanced specialization if a partner does not renew their associated gold
competency?
To maintain an advanced specialization, partners must keep their gold competency status active at all
times.

How will my customer know whether my company has an advanced specialization?

Your advanced specialization will be listed on your Business Profile.

25
What can partners tell customers about advanced specializations?
An advanced specialization is a customer-facing label on your Business Profile. It is not a brand, and it
does not have a badge associated with it. However, you can tell your customers which advanced
specializations you have earned. They can validate by reviewing your Business Profile in the Partner Finder
tool.

What if my company has an endorsement now?

As advanced specializations go live, they replace endorsements on the customer-facing profile. Each
advanced specialization has published requirements for partners to meet to earn them.

Can a company have both an endorsement and an advanced specialization on its profile?
No. As advanced specializations go live, they replace endorsements on the customer-facing Partner
Profile.

Does a partner get a badge to use externally in their marketing to differentiate their advanced
specialization?
Advanced specializations do not have a badge or a logo. An advanced specialization is a label that is
displayed on the partner’s customer-facing Partner Profile.

Other questions?
If you have any questions that we have not answered in this document, go to Partner Center support to
create a ticket with our Frontline team.

26