Azure, Dynamics 365, Microsoft 365, and Power Platform compliance offerings

You're wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Microsoft online documentation doesn't constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.

Overview

Azure is a multi-tenant hyperscale cloud platform that is available in more than 60 regions worldwide. Most Azure services enable you to specify the region where your customer data will be located. Microsoft may replicate your customer data to other regions within the same geography for data resiliency but Microsoft won't replicate your customer data outside the chosen geography (for example, United States).

Microsoft makes the following Azure cloud environments available:

  • Azure is available globally. It is sometimes referred to as Azure commercial, Azure public, or Azure global.
  • Azure China is available through a unique partnership between Microsoft and 21Vianet, one of the country‚Äôs largest Internet providers.
  • Azure Government is available from five regions in the United States to US government agencies and their partners. Two regions (US DoD Central and US DoD East) are reserved for exclusive use by the US Department of Defense.
  • Azure Government Secret is available from three regions exclusively for the needs of US Government and designed to accommodate classified Secret workloads and native connectivity to classified networks.
  • Azure Government Top Secret serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to process national security workloads classified at the US Top Secret level.

To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings), as well as depth (number of customer-facing services in assessment scope). For service availability, see Products available by region.

Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. Each offering description provides links to downloadable resources to assist you with your own compliance obligations.

Services in audit scope

Azure compliance certificates and audit reports state clearly which online services are in scope for independent third-party audits. Different audits may have different online services in audit scope. The following Azure, Dynamics 365, Microsoft 365, and Power Platform online services are covered in various Azure audit documents:

  • Azure (for detailed insight, see Azure certificates and audit reports or Microsoft Azure Compliance Offerings)
  • Azure DevOps (see separate Azure DevOps certificates and audit reports)
  • Dynamics 365 (for detailed insight, see Azure certificates and audit reports)
  • Intelligent Recommendations
  • Microsoft 365 Defender (formerly Microsoft Threat Protection)
  • Microsoft AppSource
  • Microsoft Bing for Commerce
  • Microsoft Cloud for Financial Services
  • Microsoft Defender for Cloud (formerly Azure Security Center)
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
  • Microsoft Defender for IoT (formerly Azure Defender for IoT)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop
  • Microsoft Sentinel (formerly Azure Sentinel)
  • Microsoft Stream
  • Microsoft Threat Experts
  • Nomination Portal
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power BI Embedded
  • Power Virtual Agents
  • Universal Print
  • Update Compliance

Office 365 services are covered in separate compliance certificates and audit reports maintained by Office 365. For more information, see Microsoft 365 compliance documentation.

Audit documentation

You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents.

You can access Azure audit reports and related documentation via the Service Trust Portal (STP). You must sign in to access audit reports on the STP. For more information, see Get started with Microsoft Service Trust Portal.

Alternatively, you can access certain attestation documents from the Azure or Azure Government portal by navigating to Home > Microsoft Defender for Cloud > Regulatory compliance > Audit reports or using direct links based on your subscription (sign in required):

For access to Azure Government Secret or Azure Government Top Secret documentation, contact your Microsoft account team.

Resources