Use SOC2 as proof for a client

Question

Use SOC2 as proof for a client

Yiz Segall 40

Hi,

I need to prove to a client that my app on Azure is SOC2 and/or ISO compliant. I know that there are certificates, but it seems that I can't use them.

Is there something I can show a client?

Bhargavi Naragani 7,940 Reputation points Microsoft External Staff Moderator

2025-08-13T11:00:31.6466667+00:00
Hi Yiz Segall,

Azure App Service itself is already covered under Microsoft’s SOC 2 Type 2 and ISO/IEC 27001:2022 compliance certifications. Since these certifications belong to Microsoft (as the cloud provider), you can’t directly use the certificate as if it’s issued to your own company but you can share Microsoft’s official compliance reports with your client as proof.

You can access and download the latest reports through the Microsoft Service Trust Portal (sign in with a Microsoft account):

SOC 2 Type 2 attestation report (bi-annual audit, includes trust service criteria)

Quarterly bridge letters to cover gaps between audit periods

ISO/IEC 27001:2022 certification and audit report

These documents list Azure App Service as an in-scope service, so they directly apply to your deployment.

You can verify this in Microsoft’s public compliance pages here:

SOC 2 Type 2: https://learn.microsoft.com/azure/compliance/offerings/offering-soc-2

ISO/IEC 27001:2022: https://learn.microsoft.com/azure/compliance/offerings/offering-iso-27001

Hope this helps, if you have any further concerns or queries, please feel free to reach out to us.
Yiz Segall 40 Reputation points

2025-08-13T11:22:24.07+00:00

Yes but when you download them, it says that you can't share them.
Bhargavi Naragani 7,940 Reputation points Microsoft External Staff Moderator

2025-08-19T08:13:17.84+00:00

Hi Yiz Segall,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

1 answer

Your answer

Bhargavi Naragani 7,940 Reputation points Microsoft External Staff Moderator

2025-08-13T11:00:31.6466667+00:00

Hi Yiz Segall,

Azure App Service itself is already covered under Microsoft’s SOC 2 Type 2 and ISO/IEC 27001:2022 compliance certifications. Since these certifications belong to Microsoft (as the cloud provider), you can’t directly use the certificate as if it’s issued to your own company but you can share Microsoft’s official compliance reports with your client as proof.

You can access and download the latest reports through the Microsoft Service Trust Portal (sign in with a Microsoft account):

SOC 2 Type 2 attestation report (bi-annual audit, includes trust service criteria)

Quarterly bridge letters to cover gaps between audit periods

ISO/IEC 27001:2022 certification and audit report

These documents list Azure App Service as an in-scope service, so they directly apply to your deployment.

You can verify this in Microsoft’s public compliance pages here:

SOC 2 Type 2: https://learn.microsoft.com/azure/compliance/offerings/offering-soc-2

ISO/IEC 27001:2022: https://learn.microsoft.com/azure/compliance/offerings/offering-iso-27001

Hope this helps, if you have any further concerns or queries, please feel free to reach out to us.
Yiz Segall 40 Reputation points

2025-08-13T11:22:24.07+00:00

Yes but when you download them, it says that you can't share them.
Bhargavi Naragani 7,940 Reputation points Microsoft External Staff Moderator

2025-08-19T08:13:17.84+00:00

Hi Yiz Segall,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

Yiz Segall, you’re correct, the SOC 2 and ISO audit reports you download from the Microsoft Service Trust Portal are marked Microsoft Confidential, which means they can’t be redistributed. This restriction is part of Microsoft’s non-disclosure agreement (NDA) terms for accessing those documents.

However, there are a couple of fully supported ways you can still prove compliance to your own client:

Have your client access the reports directly

If they have a Microsoft account (any Azure, Microsoft 365, or free personal account works), they can sign in to the Service Trust Portal themselves and download the same SOC 2 and ISO audit reports you see.
This way, you are not redistributing confidential files, you are simply guiding them to the official source.

Use Microsoft’s publicly shareable compliance summaries

Microsoft publishes public overview pages for SOC 2 and ISO certifications that can be freely shared. These pages confirm Azure App Service is in-scope and that Microsoft holds valid, current certifications. SOC 2: https://learn.microsoft.com/azure/compliance/offerings/offering-soc-2 ISO/IEC 27001:2022: https://learn.microsoft.com/azure/compliance/offerings/offering-iso-27001
You can explain that your app inherits the same security and compliance controls as the Azure platform it runs on, and point to the public Microsoft documentation as verification.

Medha Bhatt 36 Reputation points

2025-11-21T10:50:23.8366667+00:00

@Anonymous (#)download link does not work - it keeps showing me loader - UI is entirely messed up. How do I download the SOC2 report for M365 and Azure?

Share via

Use SOC2 as proof for a client

1 answer

Your answer