Let me tell you a secret: Auditors don’t hate IaaS cloud platforms. We just dislike cloud chaos.
As a SOC 2 auditor, I’ve seen things. Shared administrator accounts. Production secrets in plaintext. And one time—brace yourself—a company used a whiteboard to track administrator access credentials. I wish I were kidding.
Every once in a while, I stumble across an environment that makes use of a cloud platform and leverages a shared responsibility model to meet its SOC 2 requirements. It’s organized, secure, and blessedly…boring. In some cases, that’s when I realize: Oh, they’re using a cloud IaaS tool such as Microsoft Azure.
Microsoft’s Azure cloud computing services are designed to facilitate its clients’ compliance with various security frameworks and standards. Companies leverage Microsoft’s compliant architecture so that certain requirements (e.g., data center physical security and environmental controls) are the responsibility of Microsoft. This is a huge advantage to small to medium-sized businesses that don’t have the resources to maintain all the internal controls necessary to pass a SOC 2 or other type of IT audit. Microsoft offers a variety of levels of service where they take varying degrees of responsibility for IT controls. Microsoft can’t perform every IT control for every client, so there is always some degree of responsibility that remains with Azure users to maintain their own internal controls.
Let’s talk about how Microsoft Azure helps make SOC 2 audits less terrifying—for everyone involved.
1. Identity and Access Management: Azure AD to the Rescue
This feature primarily addresses the SOC 2 Security & Access Controls. I once asked a client which accounts had administrator access. They shared a manually tracked excel sheet with me where they listed administrator accounts. If only they had known about Azure Active Directory (Azure AD). With its role-based access control (RBAC), conditional access policies, and multi-factor authentication baked in, Azure AD checks many SOC 2 audit boxes.
Pro tip: We give bonus credit to any team using Privileged Identity Management (PIM) to enforce just-in-time access. That’s the kind of buttoned-up behavior that makes auditors weep tears of joy.
2. Logging Like a Legend: Azure Monitor & Log Analytics
When it comes to the SOC 2 Monitoring & Incident Response principle, Azure offers powerful solutions. You’d be surprised how many companies forget to log… everything. Once, a dev told me logs “weren’t a priority” while production was actively down. But with Azure Monitor and Log Analytics, you can collect logs from virtually every service, set alerts, and track anomalies like a cyber-sleuth. When I see real-time dashboards with audit trails, I do a little celebratory dance inside (outside, it’s a subtle nod).
Also, Microsoft Sentinel—Azure’s cloud-native SIEM—automatically surfaces threats. And if you’ve ever watched an engineer get a live Sentinel alert during a walkthrough and actually fix something mid-audit, you know that’s peak compliance theater.
3. Configuration and Change Management: Azure Policy
For addressing the SOC 2 Change Control principle, Azure Policy comes to the rescue. Ah, yes, change management. The phrase alone causes spontaneous eye rolls in engineering teams. But enter Azure Policy—the unsung hero of configuration control. It lets you define and enforce rules across your Azure environment. Want to make sure no one’s deploying public-facing VMs or skipping encryption? Just write a policy. Once, a dev told me they “thought” all storage was encrypted. We opened the Azure Policy dashboard. It said otherwise. The dev turned a pale shade of red.
4. Data Protection: Key Vault and Encryption Everywhere
The SOC 2 Confidentiality principle requires robust data protection measures, and Azure delivers. Treat your sensitive data like a burrito: wrapped tightly and encrypted at rest and in transit. Azure makes this a breeze with Azure Key Vault for managing secrets, keys, and certs. Bonus points if you’re rotating secrets automatically and logging access. (Seriously, I will look at those logs.) And with services like Storage Service Encryption, Azure Disk Encryption, and TLS enforcement, even your backups can sleep soundly.
5. Governance and Oversight: Azure Security Center & Compliance Manager
For the crucial SOC 2 Governance principle, Azure provides comprehensive tools. You know what’s great? Dashboards. Especially dashboards that tell me your environment is 93% compliant and even give remediation guidance. Microsoft Defender for Cloud (formerly Security Center) gives a security score that maps to SOC 2 criteria. And Microsoft Purview Compliance Manager offers a control-by-control breakdown of your readiness. It’s like SOC 2 with training wheels. One client even shared their Compliance Manager dashboard before I asked.
Frequently Asked Questions About Azure
Below are answers to the most common questions I receive about Azure and SOC 2 compliance. These insights will help you better understand how to leverage Azure in your compliance journey.
Is Microsoft Azure SOC 2 Compliant?
Yes – Azure is SOC 2 compliant along with the following additional third-party validated frameworks: ISO/IEC, SOC 1-3, FedRAMP, HITRUST, IRAP, HIPAA, PCI, and ENS. If your company needs to comply with any of these frameworks and you leverage Azure, you are already meeting some of the requirements of each framework by inheriting Microsoft’s Azure controls.
If I Leverage Azure’s SOC 2 Compliant Architecture, Does that Make My Company SOC 2 Compliant?
Yes and No – you will inherit some of Aure’s controls required to meet the SOC 2 criteria, but still be responsible for other controls. For example, some of the SOC 2 criteria are related to management oversight of information security and governance, employee onboarding and offboarding, system development, and identity management of system access. While Microsoft can provide architecture and tools to support their customers’ service, they cannot perform any of the controls related to information security oversight, HR processes, or access provisioning and de-provisioning. If you use Azure and get a SOC 2 report, your auditor should carve out the controls that Microsoft is responsible for and only include the controls your company is responsible for to meet the applicable SOC 2 criteria.
Which SOC 2 Requirements Does Azure Help Meet?
- Physical and environmental controls protecting hardware (e.g., servers, network devices, etc).
- Networking controls (more or less, depending on which service you are utilizing from Azure).
- Data center business continuity and disaster recovery.
- Operating system hardening (for users receiving PaaS and SaaS services).
- Application controls (for users receiving SaaS services).
Azure Shared Responsibility Model
Prior to going through a SOC 2 audit, your auditor will need to determine which controls are the responsibility of Azure and which are the responsibility of your company. The controls Azure will be responsible for are dependent on the type of service your company leverages from Microsoft. One important aspect of a shared responsibility model is that there needs to be adequate governance at the top of the organization to understand and manage the division of responsibilities in meeting security requirements.
Azure as a Subservice Organization in Your SOC 2
If you use Azure to host your infrastructure and receive your own SOC 2 report, Azure is likely “carved out” of your report. Carved out is auditor-speak for not including Azure’s controls in your SOC 2 report and placing reliance on the work that Azure’s auditor did to confirm controls were operating effectively in their environment. Your SOC 2 report should identify which of the SOC 2 criteria Azure is responsible for, and Azure’s controls would be considered complementary subservice organization controls within your report. In the unlikely event that Azure allowed your auditor to test Azure controls in addition to your controls, the report would be inclusive. See our past blog to learn more about the difference between carve out vs. inclusive reports.
Azure Vendor Monitoring
Trust, but Verify – Microsoft has built a reputation of trust related to the use of its Azure cloud services. They have also engaged a third-party SOC 2 auditor to test their internal controls and map them to SOC 2 criteria. It is incumbent on any customer of Azure’s cloud services to understand which SOC 2-related controls are the responsibility of Microsoft and which are the responsibility of the service organization. After the SOC 2-related controls that Azure provides to support your service are identified, it is important to develop vendor monitoring procedures to determine whether Azure is fulfilling their responsibilities and operating the relevant controls effectively. For additional guidance, see our past blog regarding vendor and subservice organization monitoring.
Should My SOC 2 Be Less Expensive Because We Are Leveraging Microsoft Azure?
Yes, you should save money on your SOC 2 by leveraging Azure! This is due to the fact that Microsoft is responsible for certain controls that help your company meet the SOC 2 criteria. Provided there are adequate vendor monitoring controls in place to ensure Microsoft is performing its expected controls, your audit report should be smaller (fewer controls) and, as a result, less costly. Select an auditor who understands modern cloud architecture, such as Azure, and can pass along savings on the audit since some of the controls are the responsibility of Microsoft.
Maximizing Azure SOC 2 Compliance: Final Thoughts
SOC 2 doesn’t have to be a thriller novel with an unreliable narrator. With Azure, it’s more like a structured documentary: predictable, traceable, and with a happy ending. So, whether you’re an engineer trying to survive your next audit or an auditor knee-deep in access logs, Azure can help streamline the audit. And please—label your resources. My sanity depends on it.
If you need help interpreting your Azure security score, want to rehearse your audit interview, or have any questions regarding Azure SOC 2 compliance, please feel free to contact me. Let’s make your compliance journey a little less daunting together.
This article was originally published on 10/5/2021 and was updated on 5/21/25.
Rob started with Linford & Co., LLP in 2011 and helps lead the HITRUST and ISO practices as well as performs SOC audits, NIST 800-171, and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 800 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.