Hello, This doc https://learn.microsoft.com/en-us/azure/security/fundamentals/pen-testing states:
--------------------
As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources. This process is only related to Microsoft Azure, and not applicable to any other Microsoft Cloud Service. Important: While notifying Microsoft of pen testing activities is no longer required customers must still comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement.
--------------------
The "Microsoft Cloud Unified Penetration Testing Rules of Engagement." states:
-------------------
Any violation of these Rules of Engagement or the relevant service terms may result in suspension or termination of your account and legal action as set forth in the Microsoft Online Service Terms. You are responsible for any damage to the Microsoft Cloud and other customers data or use of the Microsoft Cloud that is caused by any failure to abide by these Rules of Engagement or the Microsoft Online Service Terms.
-------------------
I wish to confirm the following.
So long as the "RULES OF ENGAGEMENT TO PERFORM PENETRATION TESTING ON THE MICROSOFT CLOUD" are followed, does this mean even if Microsoft Cloud and other customers data is damaged, so long as " the report is validated and is submitted to the Microsoft Security Response Center (MSRC). " Will the party running the test be protected from "You are responsible for any damage to the Microsoft Cloud and other customers data" ?
The party I am asking on behalf of is stuck in a Catch 22. They don't want to be held responsible if the penetration test breaks something, that being said this documentation and the FAQs at the bottom of the doc: https://www.microsoft.com/en-us/msrc/faqs-report-an-issue?rtc=1 all seem to apply only when after the penetration test has been performed.
Is there anyway / method of submitting a penetration test for review (I have detailed excelfile but it's in Japanese) prior to running the test inorder to protect themselves from litigation?
Thank you