Azure, Dynamics 365, Microsoft 365, and Power Platform compliance offerings

You're wholly responsible for ensuring your own compliance with all applicable laws and regulations. Information provided in Microsoft online documentation doesn't constitute legal advice, and you should consult your legal advisor for any questions regarding regulatory compliance.

Overview

Azure is a multi-tenant hyperscale cloud platform that is available in more than 60 regions worldwide. Most Azure services enable you to specify the region where your customer data will be located. Microsoft may replicate your customer data to other regions within the same geography for data resiliency but Microsoft won't replicate your customer data outside the chosen geography (for example, United States).

Microsoft makes the following Azure cloud environments available:

  • Azure is available globally. It is sometimes referred to as Azure commercial, Azure public, or Azure global.
  • Azure China is a physically separated instance of cloud services located in China. It's independently operated and transacted by 21Vianet, one of the country‚Äôs largest Internet providers.
  • Azure Government is available from five regions in the United States to US government agencies and their partners. Two regions (US DoD Central and US DoD East) are reserved for exclusive use by the US Department of Defense.
  • Azure Government Secret is available from three regions exclusively for the needs of US Government and designed to accommodate classified Secret workloads and native connectivity to classified networks.
  • Azure Government Top Secret serves the national security mission and empowers leaders across the Intelligence Community (IC), Department of Defense (DoD), and Federal Civilian agencies to process national security workloads classified at the US Top Secret level.

To help you meet your own compliance obligations across regulated industries and markets worldwide, Azure maintains the largest compliance portfolio in the industry both in terms of breadth (total number of offerings), as well as depth (number of customer-facing services in assessment scope). For service availability, see Products available by region.

Compliance offerings are grouped into four segments: globally applicable, US government, industry specific, and region/country specific. Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft. Each offering description provides links to downloadable resources to assist you with your own compliance obligations.

Services in audit scope

Azure compliance certificates and audit reports state clearly which cloud services are in scope for independent third-party audits. Different audits may have different online services in audit scope. The following Azure, Dynamics 365, Microsoft 365, and Power Platform online services are covered in various Azure audit documents:

  • Azure (for detailed insight, see Azure certificates and audit reports or Cloud services in audit scope)
  • Azure DevOps (see separate Azure DevOps certificates and audit reports)
  • Dynamics 365 (for detailed insight, see Azure certificates and audit reports or Cloud services in audit scope)
  • Intelligent Recommendations
  • Microsoft 365 Defender (formerly Microsoft Threat Protection)
  • Microsoft AppSource
  • Microsoft Bing for Commerce
  • Microsoft Cloud for Financial Services
  • Microsoft Defender for Cloud (formerly Azure Security Center)
  • Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
  • Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
  • Microsoft Defender for IoT (formerly Azure Defender for IoT)
  • Microsoft Graph
  • Microsoft Intune
  • Microsoft Managed Desktop
  • Microsoft Sentinel (formerly Azure Sentinel)
  • Microsoft Stream
  • Microsoft Threat Experts
  • Nomination Portal
  • Power Apps
  • Power Automate (formerly Microsoft Flow)
  • Power BI
  • Power BI Embedded
  • Power Virtual Agents
  • Universal Print
  • Update Compliance

Office 365 services are covered in separate compliance certificates and audit reports maintained by Office 365. For more information, see Microsoft 365 compliance documentation.

Audit documentation

You must have an existing subscription or free trial account in Azure or Azure Government to download audit documents.

You can access Azure, Dynamics 365, Power Platform, and other Microsoft cloud services audit documentation via the Service Trust Portal (STP). You must sign in to access audit documentation on the STP. For more information, see Get started with Microsoft Service Trust Portal. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

You can find audit documentation in the following STP folders:

  • ISO for ISO certificates and assessment reports.
  • SOC for SOC 1, SOC 2, and SOC 3 attestation reports.
  • PCI for PCI DSS and PCI 3DS attestations of compliance and related documents.
  • Healthcare and Life Sciences for HITRUST certification letters and related documents.
  • FedRAMP for Azure Commercial FedRAMP System Security Plan and penetration test reports.
  • United States Government for various attestation letters applicable to Azure and Azure Government, including DFARS, CNSSI 1253, MARS-E, NIST SP 800-161, NIST SP 800-171, IRS 1075, and others.
  • And other STP folders applicable to industry and regional compliance offerings.

For access to Azure Government Secret or Azure Government Top Secret documentation, contact your Microsoft account team.

Improve your regulatory compliance

Microsoft Defender for Cloud helps streamline the process for meeting regulatory compliance requirements, using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the standards that you've applied to your subscriptions. The dashboard reflects the status of your compliance with these standards. For more information, see Tutorial: Improve your regulatory compliance.

Resources