Azure Service Trust Portal

The Azure Service Trust Portal (STP) is a Microsoft-operated website that provides access to independent audit reports, compliance certifications, and security documentation for Microsoft's cloud services, including Azure, Microsoft 365, Dynamics 365, and Power Platform. It is designed to help customers meet their own compliance obligations by providing transparent, verifiable evidence of Microsoft's security and compliance controls.

The business problem it solves is simple: when an organization moves data and workloads to the cloud, its auditors and regulators still require proof that the cloud provider meets specific standards (e.g., ISO 27001, SOC 2, HIPAA, GDPR). Without the STP, customers would have to individually request these documents from Microsoft, wait for responses, and manually verify updates. The STP centralizes all this information, making it available on-demand, and ensures that the documents are always the latest versions. This saves time, reduces audit friction, and provides a single source of truth for compliance evidence.

The STP is a web-based portal accessible at [https://servicetrust.microsoft.com](https://servicetrust.microsoft.com). It does not require an Azure subscription—anyone with a Microsoft account (or Azure AD credentials) can sign in and access the public-facing content. However, some documents, such as those covered by non-disclosure agreements (NDAs), require additional authentication and acceptance of a confidentiality agreement.

Once signed in, the portal presents a dashboard with several main sections:

The portal also includes a search bar and filtering options (by document type, date, or standard) to help you locate specific documents. Additionally, the STP offers a feature called Trust Center (not to be confused with the Microsoft Trust Center, which is a separate website) that provides a more guided experience for compliance managers.

The Service Trust Portal is free to use for anyone with a Microsoft account. There are no tiers or paid versions—it's a universal resource. However, access to certain documents (like those under NDA) requires you to sign in with an Azure AD account that has been granted permission by your organization's Microsoft admin. For example, if your company has an Enterprise Agreement with Microsoft, your admin can enable access to confidential audit reports.

It's important to note that the STP does not include SLA (Service Level Agreement) documents or service health information—those are found in the Azure Portal or the Azure Service Health dashboard. The STP is exclusively for compliance and security documentation.

In an on-premises data center, compliance evidence is typically generated internally by the organization's own security and audit teams. The organization must create policies, implement controls, and then engage an external auditor to certify their environment. This process is costly, time-consuming, and must be repeated annually. With the Azure Service Trust Portal, Microsoft provides the audit reports for the cloud infrastructure layer (the physical data centers, network, and hypervisor). Customers are still responsible for auditing their own applications and configurations (the 'shared responsibility' model), but they can leverage Microsoft's certifications as a foundation. The STP essentially provides 'compliance as a service'—pre-certified evidence that customers can use to accelerate their own audits.

The Service Trust Portal is not directly integrated into the Azure Portal or Azure CLI. It is a standalone website. However, there is a link to the STP from within the Azure Portal under 'Help + Support' > 'Service Trust Portal' for convenience. There is no CLI command to interact with the STP because it is a document repository, not a management service. You cannot, for example, use Azure PowerShell to download a SOC 2 report—you must visit the website.

Consider a healthcare startup that wants to use Azure to host its patient records application. To comply with HIPAA, the startup must sign a Business Associate Agreement (BAA) with Microsoft and provide evidence to its own auditors that Azure is HIPAA-compliant. The startup's compliance officer goes to the Service Trust Portal, downloads the HIPAA BAA, and also downloads the latest SOC 2 Type II report. She then provides these to her auditor, who verifies the documents' authenticity and dates. Without the STP, the compliance officer would have to email Microsoft support and wait days for the documents—and then repeat the process every year. With the STP, she can access the documents instantly and set up email notifications for when new versions are published.

The STP allows you to set up notifications for when a document is updated or a new audit report is published. This is critical for staying current with compliance requirements. To enable notifications, you must sign in and configure alerts under the 'Settings' menu. Notifications are sent via email.

While the STP is comprehensive, it does have limitations. First, not all documents are available to all users—some require NDA acceptance. Second, the portal does not provide real-time security alerts or threat intelligence—those are handled by Azure Security Center (now Microsoft Defender for Cloud). Third, the STP does not include custom audit reports for specific customer configurations; it only covers Microsoft's shared infrastructure. Customers must still perform their own audits of their Azure resource configurations (e.g., network security groups, encryption settings).

A financial services company, FinSecure Inc., uses Azure to host its core banking application. As part of its annual SOC 2 audit, the external auditor requires evidence that the cloud infrastructure provider (Microsoft) has adequate controls over security, availability, and confidentiality. FinSecure's compliance team accesses the Service Trust Portal and downloads the latest Azure SOC 2 Type II report. They also download the Azure SOC 3 report (a public summary) to share with clients. The auditor reviews these reports and cross-references them with FinSecure's own control documentation. Because the STP provides up-to-date, independent verification, the audit proceeds smoothly and FinSecure achieves its SOC 2 attestation. Without the STP, FinSecure would have to rely on outdated reports or pay for a separate audit of Microsoft's infrastructure—a costly duplication.

A healthcare startup, HealthCloud, wants to launch a telemedicine platform on Azure. To comply with HIPAA, they must sign a Business Associate Agreement (BAA) with Microsoft and provide evidence that Azure is HIPAA-compliant. The startup's compliance officer goes to the STP, downloads the HIPAA BAA, and also downloads the Azure HIPAA Compliance Guide. She also downloads the latest ISO 27001 certification to demonstrate a baseline of security controls. She provides these to her legal team and external auditor. The auditor confirms that the documents are valid and current. The startup then configures its Azure environment to meet HIPAA requirements (e.g., enabling encryption, restricting access). The STP documents are crucial for the auditor to sign off on the infrastructure layer. If the startup had not used the STP, they might have missed the BAA requirement or used outdated documents, leading to compliance gaps.

A common mistake is confusing the Service Trust Portal with the Microsoft Trust Center (a separate website with general security information). Candidates and even professionals sometimes go to the Trust Center to look for audit reports, only to find marketing materials. Another issue is failing to accept the NDA—without it, restricted documents are not visible, leading to incomplete evidence. Finally, some users forget to set up notifications and miss critical updates (e.g., a new SOC report that supersedes an older one), which can cause auditors to flag the evidence as stale. The correct approach is to always use the STP (servicetrust.microsoft.com) for audit reports, accept the NDA, and configure alerts.