Understand Microsoft personnel security governance
Microsoft works to maintain a safe and secure environment to protect our employees, customers, property, personal data, and proprietary information. To achieve this goal, our enterprise-wide security policies include a comprehensive background screening program and mandatory training in our Standards of Business Conduct. To protect our systems and customer data when an employee is terminated, our offboarding process includes procedures for quickly revoking access to all Microsoft facilities and information systems.
Pre-employment screening
Microsoft 365 screening practices align with Microsoft's Corporate Standards and National Institute of Standards and Technology (NIST) 800-53 for personnel screening.
To the extent permissible by local law, pre-employment screening checks include:
- Confirmation of identity
- Criminal history check
- Confirmation of highest level of academic achievement
- Employment history
- Global sanctions and enforcement check
Staff involved in the development, operation, or delivery of online services to government or commercial cloud customers may be subject to additional checks to comply with relevant privacy laws. In addition, rescreening every two years is required to maintain eligibility for a service team account. Access is automatically revoked for personnel who do not pass rescreening or fail to complete rescreening requirements.
Employee obligations
Employment with Microsoft is subject to specific conditions and obligations as formally identified in our employee agreement. The primary goal of the employee agreement is to protect our employees, customers, property, personal data, and proprietary information. Employee obligations include avoiding conflicts of interest and protecting Microsoft proprietary information through non-disclosure agreements. To enforce these obligations, Microsoft requires all employees to agree to our Standards of Business Conduct and complete related training.
We use a Learning Management System platform that delivers training materials and tracks training requirements completion for each employee. These trainings include business ethics, employee safety, privacy, anti-harassment, and zero tolerance for non-ethical behavior. At the end of the course, employees must attest that they will abide by the Microsoft code of business conduct, which is tracked at the organization level.
Transfer
Established procedures and automated workflows handle all aspects of employee transfers, ensuring the proper paperwork is completed and unnecessary access for their new role is removed. Employee transfers are initiated through a transfer transaction request submitted to HR by the employee’s manager. Global Talent acquisition is then engaged, providing the employee with an offer letter for their new role. Once the offer is accepted, HR approves the request in the HR Information System, triggering access control systems to automatically set an expiration date on all access the employee had in their previous role. Any access that is required for their new position must be requested by the employee and approved by their new manager.
Termination
Microsoft uses clearly defined policies and procedures to promptly revoke physical and logical access to Microsoft systems and resources when an employee is terminated. Our termination process ensures that former Microsoft employees cannot access data or systems after their employment ends. Our HR systems interface with our identity management tools to automatically revoke access for service team accounts.