Microsoft Service Trust Portal and compliance documentation

The Microsoft Service Trust Portal (STP) at servicetrust.microsoft.com is the central library of Microsoft's compliance certifications, audit reports, security documentation, and data-handling commitments. It's where your compliance team gets the artefacts they need to satisfy auditors, regulators, and customer due diligence.

What's in the STP

A non-exhaustive catalogue:

Audit reports

SOC 1, 2, and 3 reports for Microsoft cloud services.
ISO 27001, 27017, 27018, 22301 certifications and audit reports.
PCI DSS attestations of compliance.
FedRAMP documentation for US government scenarios.
HIPAA business associate agreements and supporting docs.
Country-specific certifications — UK G-Cloud, German C5, Singapore MTCS, Australian IRAP, and many more.

Compliance frameworks

Microsoft's mapping of services against specific regulatory frameworks.
GDPR commitments and supporting materials.
HIPAA, FERPA, FISMA, CJIS specific documentation.

Operational documentation

Microsoft 365 data location by region.
EU Data Boundary details.
Customer Lockbox behaviour and access procedures.
Data subject rights documentation for GDPR.
Incident notification procedures.

Tools

Compliance Manager integration — assessments linked to Microsoft's underlying controls.
Compliance Score components.
Audit-related FAQs for common compliance questions.

How to use it

For most compliance scenarios:

Customer due diligence

When a prospect or partner asks "are you SOC 2 compliant for the services you use?":

Pull the relevant SOC 2 report for Microsoft 365 from STP.
Combine with your own SOC 2 (or other) report.
Present together as evidence that the full chain of services is audited.

Regulator inquiry

When a regulator asks about specific compliance:

Find Microsoft's documentation for the relevant regulation.
Combine with your tenant's specific configuration evidence.
Present a coherent compliance picture.

Internal audit

For internal audit functions evaluating your Microsoft 365 estate:

Use STP documentation to confirm Microsoft's responsibilities under the shared responsibility model.
Combine with Compliance Manager scores for your tenant-specific compliance posture.

Shared responsibility model

A crucial concept the STP makes explicit: Microsoft 365 operates under a shared responsibility model between Microsoft and the customer. Microsoft is responsible for:

Infrastructure security.
Service operations and availability.
Some baseline platform security features.

Customers are responsible for:

Identity (users, MFA, Conditional Access).
Data classification and labelling.
Endpoint security on customer-managed devices.
Configuration of security and compliance features in the tenant.

The STP documents Microsoft's side of this clearly. Your tenant's compliance documentation has to cover the customer side.

Authentication and access

The STP is freely accessible for most content — no Microsoft 365 sign-in required. Some sensitive documents (specific audit reports, NDA-required content) require Microsoft 365 sign-in with a tenant admin role or specific licensing.

Compliance Manager (purview.microsoft.com) — tenant-specific compliance scoring linked to STP documentation.
Microsoft Trust Center (microsoft.com/trust-center) — broader trust-related content (privacy, security, transparency).
Microsoft Privacy Statement — published commitments on data handling.
Service-level agreement (SLA) pages — uptime commitments per service.

Operational rhythm

A mature compliance function:

Subscribes to STP updates — Microsoft publishes new audit reports annually.
Reviews STP at audit time — pulls the current versions of relevant reports.
Tracks compliance certifications Microsoft adds/removes over time.
Documents the shared responsibility split in their own internal policies.

For organisations in regulated industries, the STP is essential reference material. For organisations less encumbered, it's the right place to point auditors when they ask about Microsoft's controls without having to argue the case yourself.