In-Scope
The Microsoft Compliance & Assurance team helps customers understand how Microsoft services align with key security, privacy, and compliance standards. This includes support for Microsoft’s Core Online Services, which are audited against:
- SSAE 18 SOC 1 Type II – Financial reporting controls
- SSAE 18 SOC 2 Type II – Controls for security, availability, integrity, confidentiality, and privacy
Audited Online Services:
| Online Service | SSAE 18 SOC 1 Type II | SSAE 18 SOC 2 Type II |
|---|---|---|
| Office 365 Services | Yes | Yes |
| Microsoft 365 Compliance Services | Yes | Yes |
| Microsoft Dynamics 365 Core Services | Yes | Yes |
| Microsoft Azure Core Services | Varies* | Varies* |
| Microsoft Defender for Cloud Apps | Yes | Yes |
| Microsoft Intune Online Services | Yes | Yes |
| Microsoft Power Platform Core Services | Yes | Yes |
| Microsoft Defender for Endpoint Services | Yes | Yes |
| Microsoft 365 Defender | Yes | Yes |
*Coverage for Azure Core Services may vary depending on the specific service or region.
Key areas included in the Compliance Program:
- Regulatory compliance and cloud risk management
- Shared responsibility guidance between Microsoft and customers
-
Support resources, including:
- Audit reports (ISO, SOC, FedRAMP)
- Compliance with regulations (HIPAA, NIST 800-53/171, etc.)
- Control mapping and security questionnaires
- Threat & Vulnerability Risk Assessment (TVRA) report requests
- Penetration testing and vulnerability assessments
- Subprocessor and supplier management
- Data protection, privacy laws, and regulatory updates
- Data location, processing, and EU Data Boundary (EUDB)
- Datacenter operations and business continuity planning
- Support for FSI regulatory requirements and risk profiles
For more details, visit the Microsoft Compliance site or contact your Microsoft representative.
Out-of-Scope
This section outlines inquiries that fall outside the scope of the Microsoft Compliance & Assurance team. While these are frequently asked by customers, they are better addressed by specialized teams. When such inquiries arise, CPMC will coordinate with the appropriate Microsoft contacts to ensure support is provided.
| Topic | Recommended Route / Resources |
|---|---|
| Technical blockers (e.g., Design Change Requests) | Use the Unified Action Tracker to log and manage engagement or milestone-related issues. |
| Enterprise Agreement (EA) contract/legal issues | Contact your CELA partner. If unknown, use Find CELA Contact. |
| Competitive trends / scenario analysis | Work with your Go-To-Market (GTM) team or visit Microsoft Transform. |
| Volume licensing inquiries | Engage with your Deal Desk for licensing support. |
| Break/Fix escalations or product feature issues | Reach out to Customer Service & Support (CSS). |
| Advanced advisory support | Consider engaging a Cloud Solution Architect - Engineering (CSA-E). |
| Deployment support / data migration / configuration | Use Microsoft 365 FastTrack or Azure FastTrack services. |
| Purview engineering assistance | Submit a request via Request CAT Assistance. |
| RFI / RFP support | Leverage Microsoft Proposal Professionals or use the RFPIO tool. |
| DPIA (Data Protection Impact Assessment) | Use the customizable DPIA template and consult your CELA partner for complex cases. |
| DTIA (Data Transfer Impact Assessment) | Refer to the DTIA FAQ and the whitepaper on EU data transfer compliance. |
| Corporate responsibility information | Visit the Microsoft CSR site. |
| Office locations, insurance certificates | Use Microsoft Investor Relations or email certs@microsoft.com with a request form. |
| Product-related escalations | Email cmpms@microsoft.com for assistance. |
| Incident response communications | Access official guidance from the Incident Response Hub. |
| Security vulnerability investigations |
Use Microsoft Security Response Center to submit reports. Review issues using Security Fundamentals and Cybersecurity Reference Architecture before submission. |
| Inquiries regarding Microsoft's technical support data handling and privacy policies |
These inquiries are handled by Microsoft Professional Services and the TrIP (Trust in Professional Services) Team. If customers have questions about how Microsoft handles data in support scenarios or compliance policies related to Microsoft Support engagements, they can do the following: - Open a request with the TrIP Team here: Create a Privacy Review Request. - Learn more about Microsoft Professional Services, which includes consultants, engineers, and technical architects supporting customer success. The TrIP Team oversees data handling policies, authorized information disclosure, and the privacy and security governance of Microsoft’s support services. |
Get More Information
For further details, please contact us.