Personnel management overview
How does Microsoft screen prospective employees?
Microsoft follows rigorous personnel screening requirements for all candidates, which includes full-time, part-time employees and interns. All candidates are screened prior to beginning employment at Microsoft.
Background checks on employment candidates generally include review of the following components, to the extent permitted by law:
- Identity check
- Education verification
- Employment verification
- Criminal record review
- Sex offender registry review
- Global sanctions list review
What additional checks are performed for employees that manage cloud services?
In addition to pre-employment screening, Microsoft employees who maintain Microsoft online services in the United States must undergo a Microsoft Cloud Background Check as a prerequisite for access to online services systems. The requirements of background check vary to comply with applicable laws and service delivery models. The results from the Microsoft Cloud Background Check are stored in our employee database and must be renewed every two years at a minimum. If the Microsoft Cloud Background Check expires and the employee doesn’t renew it, access to online services is revoked and no longer available until the Microsoft Cloud Background Check is completed. Likewise, when the employment relationship with Microsoft ends, all access is immediately revoked.
How does Microsoft ensure employees maintain sufficient skills and knowledge to perform their responsibilities and follow Microsoft policies?
All Microsoft employees are required to complete basic security awareness training. Initial training occurs when a new employee begins working at Microsoft, and annual refresher training takes place every year thereafter. The training is designed to provide the employee with an understanding of Microsoft's fundamental approach to security. Applicable role-based security training is also required prior to granting any specific access needed for an individual's job responsibilities. Microsoft employees' security training is refreshed on an annual basis, and when system or policy changes warrant new training.
In addition to security awareness training, Microsoft employees must complete Standards of Business Conduct training. This training includes business ethics, employee safety, privacy, anti-harassment, and zero tolerance for non-ethical behavior. At the end of the course, employees must attest that they’ll abide by the Microsoft code of business conduct, which is tracked at the organization level. The Standards of Business Conduct training are refreshed on an annual basis.
How does Microsoft revoke access for employees who leave Microsoft?
Microsoft uses clearly defined policies and procedures to promptly revoke physical and logical access to Microsoft systems and resources when an employee leaves Microsoft or is terminated. Microsoft's termination process ensures that former Microsoft employees can’t access data or systems after their employment ends.
When a service team user's employment is marked as terminated, this information propagates to the Microsoft account management tool, which automatically removes the terminated employee's domain account. Any access badges or other physical authenticators issued to the terminated employee are collected at the time of the exit interview or termination.
How does Microsoft ensure third-party suppliers meet the same personnel requirements as Microsoft employees?
Microsoft online services require third-party suppliers to have a signed Master Supplier Services Agreement (MSSA). This agreement requires the supplier to comply with Microsoft policies and procedures, including personnel security policies and procedures. Microsoft monitors compliance with screening requirements for third-party personnel by tracking the outcome of screening directly. Microsoft requires suppliers to conduct background screens for all persons who need access to Microsoft’s facilities and/or network. For specific roles, a Supplier may be required to provide attestation as evidence that the person completed the cloud background screen requirements.
Related external regulations & certifications
Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to human resources.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001/27002 Statement of Applicability Certificate |
A.7: Human resource security | November 6, 2023 |
| ISO 27017 Statement of Applicability Certificate |
A.7: Human resource security | November 6, 2023 |
| SOC 1 | IS-4: Security training OA-3: Account revocation |
November 17, 2023 |
| SOC 2 SOC 3 |
C5-2: Supplier risk assessment ELC-6: Supplier code of conduct IS-4: Security training OA-3: Account revocation SOC2-1: Disciplinary actions SOC2-12: Background checks SOC2-13: Employment agreements SOC2-14: Confidentiality and non-disclosure agreements |
November 17, 2023 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP (Office 365) | AT-2: Security awareness AT-3: Role-based security training AT-4: Security training records PS-3: Personnel screening PS-4: Personnel termination PS-5: Personnel transfer PS-7: Third-party personnel security |
July 31, 2023 |
| ISO 27001/27002/27017 Statement of Applicability Certification (27001/27002) Certification (27017) |
A.7: Human resource security | March 2024 |
| SOC 1 | CA-08: Background checks CA-43: Account revocation |
January 23, 2024 |
| SOC 2 | CA-07: Standards of Business Conduct (SBC) CA-08: Background checks CA-43: Account revocation ELC-08/13/14: Employment agreements |
January 23, 2024 |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for