Posted by: kurtsh | April 11, 2026

INFO: Executing independent risk assessments on Microsoft products & services

To independently assess Microsoft’s security, privacy, and compliance controls, refer to the following official Microsoft resources:

  1. Microsoft Trust Center – https://www.microsoft.com/en-us/trust-center
    Overview of Microsoft’s data security, privacy commitments, and compliance standards across our cloud services.
  2. Microsoft Service Trust Portal * – https://aka.ms/STP
    Downloadable audit reports (SOC 1/2/3, ISO 27001, FedRAMP, etc.), certifications, whitepapers, and privacy documentation. Docs on using the STP are available at https://learn.microsoft.com/en-us/compliance/assurance/stp-get-started
  3. Microsoft Compliance Manager Build and manage assessments in Microsoft Purview Compliance Manager
    Compliance management tool with 360+ regulatory assessment templates to help evaluate compliance against standards such as NIST CSF, FedRAMP, and HIPAA. (The use of regulatory assessment templates may require additional subscriptions.)
  4. Microsoft Compliance Offerings Compliance offerings for Microsoft 365, Azure, and other Microsoft services
    Complete directory of Microsoft’s compliance certifications organized by US Government, Global, Industry, and Regional categories.

* Note that publications from the Service Trust Portal are not public documents & anonymous access to these reports & assessments may not be permitted.  Authorized Entra accounts assigned the appropriate admin roles may download the audit reports & attestations published online.

For specific security or compliance questions, leverage your organization’s Unified Enterprise agreement for support engineering advisory cases.  This can be done through https://serviceshub.microsoft.com or 800-936-3100, through an authorized contact for your organization’s Unified Enterprise agreement.

For broader security or compliance assistance, work through your Unified Enterprise Customer Success Account Manager to discuss funding an engagement with a Security Architect through Unified Enterprise proactive services.

For organizations without Unified Enterprise agreements, if you require direct assistance, work with a Microsoft Partner with expertise in compliance & risk assessments to discuss a professional services engagement. Government organizations I’ve worked with in the past have engaged Bridewell, Epiq Global & Patriot Consulting. If you are a customer of mine that requires a direct contact, reach out & I can provide one.

Posted in Uncategorized | Tags: , , , ,

«

Categories