This chapter covers cloud compliance concepts, a critical topic for the AZ-900 exam. You will learn how Azure helps organizations meet legal, regulatory, and industry standards for data security and privacy. This objective area represents approximately 5-10% of the exam, so understanding compliance models, the shared responsibility model, and key compliance offerings is essential. We will explore what compliance means in the cloud, how Azure provides compliance tools and certifications, and how to verify compliance through the Service Trust Portal and Azure Policy.
Jump to a section
Imagine you are a multinational corporation that stores sensitive documents—contracts, financial records, and employee data—in a single, massive filing room. Your business must follow strict regulations: documents must be kept in fireproof cabinets, access must be logged, and certain records must be stored in specific countries. You could build your own filing room with custom cabinets, security cameras, and logs, but that would be expensive and slow to adapt to new laws. Instead, you rent a safety deposit box at a global bank. The bank offers different types of boxes: some are fireproof, some have dual-key access, and some are located in specific branches (e.g., only in the EU). You choose the box that meets your compliance needs, and the bank guarantees that the box meets those standards. The bank regularly updates its box types to match new regulations, and you can audit the bank's compliance certificates. In this analogy, the bank is Microsoft Azure, the safety deposit box is a compliance offering (like Azure Policy or a compliance certification), and your documents are your data and workloads. The key mechanism is that you don't build compliance yourself—you select a pre-built, audited offering that matches your regulatory requirements, and Microsoft takes responsibility for maintaining that compliance posture.
What is Cloud Compliance and Why Does It Matter?
Cloud compliance refers to adhering to laws, regulations, and industry standards that govern how data is collected, stored, processed, and transmitted. For organizations moving to the cloud, compliance is often the top concern. Different industries have different requirements: healthcare must follow HIPAA (Health Insurance Portability and Accountability Act) in the US, financial services must comply with PCI DSS (Payment Card Industry Data Security Standard), and companies operating in Europe must adhere to GDPR (General Data Protection Regulation). Non-compliance can result in massive fines, legal action, and reputational damage.
In the on-premises world, the organization is fully responsible for compliance—they control the physical servers, network, and access. In the cloud, responsibility is shared. Azure provides a compliant platform, but the customer must configure their workloads correctly. For AZ-900, you need to understand this shared responsibility model and how Azure provides confidence through certifications, attestations, and tools.
The Shared Responsibility Model for Compliance
Microsoft operates on a shared responsibility model. For compliance, this means: - Microsoft is responsible for the compliance of the cloud: The physical data centers, hardware, software, and networking that underpin Azure services. Microsoft undergoes regular audits (e.g., SOC 1/2/3, ISO 27001) and provides certifications that cover the entire Azure platform. - The customer is responsible for compliance in the cloud: Configuring services correctly, managing access, encrypting data, and ensuring their applications meet regulatory requirements. For example, if you store healthcare data in Azure SQL Database, Microsoft ensures the database service is HIPAA-eligible, but you must enable encryption, set up firewalls, and control who accesses the data.
This distinction is crucial: Azure's compliance certifications do not automatically make your application compliant. You must use Azure's compliance tools (like Azure Policy) to enforce your own configurations.
Key Compliance Offerings in Azure
Azure provides several categories of compliance offerings:
Formal Certifications: Third-party audits that verify Azure meets specific standards. Examples include ISO 27001 (information security management), SOC 2 (service organization controls), FedRAMP (US federal government), and HIPAA BAA (Business Associate Agreement). These certifications are publicly listed on the Service Trust Portal.
Attestations: Microsoft's self-assessments or third-party attestations that Azure meets certain requirements. For instance, Azure has a GDPR attestation.
Regional/Industry Standards: Azure complies with country-specific laws (e.g., Australia's IRAP, Germany's C5) and industry-specific standards (e.g., PCI DSS for payment cards, HIPAA for healthcare).
Azure Policy: A service that allows you to create, assign, and manage policies that enforce compliance rules for your resources. For example, you can create a policy that only allows certain VM sizes or requires encryption at rest.
Microsoft Purview Compliance Manager: A tool that helps you manage your compliance posture by providing assessments, actionable insights, and automated testing.
Service Trust Portal (STP): A web portal where you can access audit reports, compliance guides, and whitepapers. It's your one-stop shop for verifying Azure's compliance credentials.
How to Verify Compliance: The Service Trust Portal
The Service Trust Portal is a critical resource for AZ-900. It provides: - Audit Reports: Downloadable reports from third-party auditors (e.g., SOC reports, ISO certificates). - Compliance Guides: Documents that map Azure services to specific compliance standards. - Data Residency and Security: Information about where data is stored and how it is protected. - Compliance Manager: A dashboard to assess your own compliance posture.
To access the STP, you need an Azure Active Directory account (work or school). The portal is free and does not require an Azure subscription.
Azure Policy: Enforcing Compliance
Azure Policy is a service that helps you enforce organizational standards and assess compliance at scale. It works by creating policy definitions (rules) and assigning them to resources (e.g., subscriptions, resource groups). Key concepts: - Policy Definition: A rule that describes the compliance condition (e.g., "allowed locations" or "require encryption"). - Initiative: A group of policy definitions designed to achieve a specific compliance goal (e.g., "HIPAA compliance initiative"). - Assignment: Applying a policy or initiative to a scope (management group, subscription, resource group). - Effect: What happens when a resource violates the policy (e.g., Deny, Audit, Append, DeployIfNotExists).
Example: You can create a policy that denies creation of VMs in any region other than West Europe to meet GDPR data residency requirements.
Microsoft Purview Compliance Manager
Compliance Manager (part of Microsoft Purview) helps you manage your compliance activities. It provides: - Pre-built assessments for common standards (e.g., GDPR, NIST). - Actionable improvement actions with step-by-step guidance. - Automated testing of controls (if you have the right licenses). - Compliance score to track progress.
Data Residency and Sovereignty
Data residency refers to the physical location of data. Azure allows you to choose the region where your data is stored. Some regulations require data to stay within a specific country or region (data sovereignty). Azure offers: - Region pairs: Data is replicated within a paired region for disaster recovery, but stays within the same geography (e.g., US East and US West). - Azure Policy: Enforce data residency by restricting resource creation to allowed regions. - Customer Lockbox: Provides customer approval for Microsoft engineers to access data (for support cases).
Comparing On-Premises Compliance to Cloud Compliance
In on-premises environments, the organization must:
Build and maintain physical security (locks, cameras, guards).
Manage hardware and software patching.
Conduct internal audits and hire third-party auditors.
Prove compliance to regulators.
In Azure, Microsoft handles the physical and infrastructure compliance. The customer focuses on:
Configuring services correctly.
Managing access (identity).
Encrypting data.
Using Azure Policy to enforce rules.
Reviewing compliance reports from the STP.
This shift reduces the burden but requires new skills and tools.
Azure Portal and CLI Touchpoints
You can explore compliance offerings in the Azure portal: - Service Trust Portal: Access via (https://servicetrust.microsoft.com). - Azure Policy: Search for "Policy" in the portal. Create and assign policies via the UI. - Compliance Manager: Within Microsoft Purview compliance portal.
Using Azure CLI, you can list policy definitions:
az policy definition list --query "[?policyType=='BuiltIn']"Create a policy assignment:
az policy assignment create --name 'deny-south-america' --policy '...' --scope '/subscriptions/...'Identify Compliance Requirements
Begin by understanding the regulations and standards your organization must follow. For example, if you handle payment card data, you need PCI DSS compliance. If you operate in the EU, GDPR applies. Document the specific controls required (e.g., encryption, access logging, data residency). This step is typically done by a compliance officer or legal team. In Azure, you can then map these requirements to Azure's compliance offerings. For AZ-900, you don't need to memorize every regulation, but you should know that Azure provides offerings for major standards like HIPAA, GDPR, ISO 27001, and SOC 2.
Review Azure Compliance Offerings
Visit the Service Trust Portal (STP) to see which Azure services are covered by which certifications. For example, if you need HIPAA compliance, check the HIPAA compliance matrix on the STP to see which services are HIPAA-eligible. Note that not all Azure services are covered by every certification. For instance, Azure DevOps may not be HIPAA-eligible. The STP provides audit reports, whitepapers, and compliance guides. You can download SOC reports and ISO certificates to share with auditors. This step is crucial for proving to regulators that your cloud provider is compliant.
Configure Azure Policy for Enforcement
Use Azure Policy to enforce compliance rules. For example, create a policy that requires encryption for all storage accounts. Assign the policy to a subscription or resource group. Azure Policy will evaluate existing resources and flag non-compliant ones. It can also prevent creation of non-compliant resources (Deny effect). You can use built-in policy definitions (e.g., 'Allowed locations', 'Require SQL Server encryption') or create custom ones. This step automates compliance and reduces human error. In the exam, remember that Azure Policy is about enforcing rules, not just auditing.
Monitor Compliance with Compliance Manager
Microsoft Purview Compliance Manager provides a dashboard to track your compliance posture. It includes pre-built assessments (e.g., for GDPR) that list controls and improvement actions. You can assign tasks to team members, upload evidence, and track progress. Compliance Manager also integrates with Azure Policy to automatically detect non-compliant resources. The compliance score (0-100%) gives a quick view of your posture. This tool is especially useful for organizations that need to demonstrate continuous compliance. For AZ-900, know that Compliance Manager is part of Microsoft Purview and helps manage compliance activities.
Audit and Report Using Service Trust Portal
Periodically download updated audit reports from the Service Trust Portal to provide to auditors. The STP also offers compliance guides that map Azure services to specific controls. You can set up alerts for new reports. Additionally, use Azure Monitor logs to track access and changes. For example, enable diagnostic settings on resources to log all operations. These logs can be used for compliance audits. Remember that Microsoft provides the infrastructure compliance; you are responsible for configuring logging and monitoring. In the exam, know that the STP is the primary source for Azure compliance documentation.
Scenario 1: Healthcare Provider Moving to Azure
A hospital chain in the United States needs to move its patient records system to the cloud while complying with HIPAA. The compliance team first reviews the Service Trust Portal to confirm that Azure can sign a Business Associate Agreement (BAA). They select Azure services that are HIPAA-eligible, such as Azure SQL Database and Azure Blob Storage. They then create Azure Policy assignments to enforce encryption at rest and in transit, restrict data to US regions, and require multi-factor authentication for all users. They use Compliance Manager to track improvement actions like enabling audit logging. The hospital also enables Customer Lockbox so that any Microsoft engineer accessing data must get explicit approval. A common mistake is assuming that all Azure services are HIPAA-eligible—they are not. For example, Azure Cognitive Services may not be covered. If the hospital accidentally stores PHI in a non-eligible service, they violate HIPAA. Cost considerations: HIPAA compliance does not change Azure pricing, but additional features like Customer Lockbox may have extra costs. The hospital saves money by not building its own data center but must invest time in configuration.
Scenario 2: European E-Commerce Company and GDPR
An e-commerce company based in Germany must comply with GDPR, which requires data residency within the EU and the right to be forgotten. The company uses Azure Policy to restrict resource creation to West Europe and North Europe regions. They enable Azure AD for identity management and use Azure Information Protection to classify and protect personal data. For the right to be forgotten, they implement a custom Azure Function that deletes user data from all databases when requested. They use Compliance Manager's GDPR assessment to track progress. A common pitfall is forgetting that GDPR applies to any company processing EU citizens' data, regardless of location. If the company expands to the US but still processes EU data, they must ensure compliance. Azure's data residency options allow them to keep data in the EU. Cost: Data transfer costs may increase if they replicate data across regions for disaster recovery, but they can use paired regions within the EU.
Scenario 3: Financial Services Firm and PCI DSS
A credit card processing company must comply with PCI DSS. They use Azure Policy to enforce that only approved VM sizes are used (to meet segmentation requirements) and that network security groups restrict access to cardholder data environments. They enable Azure Security Center for continuous monitoring and vulnerability assessments. They use the Service Trust Portal to download Azure's PCI DSS attestation report to share with their acquiring bank. A common mistake is thinking that Azure's PCI DSS certification covers the customer's entire environment—it only covers the Azure infrastructure. The customer must still implement controls like encryption of cardholder data, access controls, and regular penetration testing. Cost: Azure Security Center's free tier provides basic monitoring, but advanced features require Azure Defender, which has a per-resource cost. The firm avoids building a dedicated data center and instead pays for the services they use.
AZ-900 Objective 1.5: Describe cloud compliance concepts
This objective is tested with about 5-10 questions on the exam. You must know:
The purpose of the Service Trust Portal (STP) and what it contains (audit reports, compliance guides, whitepapers).
The shared responsibility model as it applies to compliance: Microsoft is responsible for the compliance of the cloud; the customer is responsible for compliance in the cloud.
Key compliance offerings: ISO 27001, SOC 1/2/3, HIPAA BAA, GDPR, FedRAMP, PCI DSS.
Azure Policy's role in enforcing compliance.
Microsoft Purview Compliance Manager for managing compliance posture.
Data residency and sovereignty concepts.
Common Wrong Answers and Why Candidates Choose Them
"The customer is responsible for all compliance in the cloud." Candidates choose this because they think moving to the cloud means the provider handles everything. Reality: Microsoft handles infrastructure compliance; the customer must configure their services correctly.
"Azure Policy is used to monitor performance." Candidates confuse Azure Policy with Azure Monitor. Azure Policy is for compliance and governance, not performance monitoring.
"All Azure services are HIPAA-eligible." Candidates assume that because Azure has a HIPAA BAA, all services are covered. Reality: Only specific services are HIPAA-eligible; check the STP.
"The Service Trust Portal requires an Azure subscription." Candidates think you need to pay to access compliance docs. Reality: You only need an Azure AD account (work or school), which is free.
Specific Terms and Values That Appear Verbatim - "Service Trust Portal" - "Shared responsibility model" - "Compliance Manager" - "Azure Policy" - "Data residency" and "data sovereignty" - "ISO 27001", "SOC 2", "HIPAA", "GDPR", "FedRAMP" - "Customer Lockbox"
Edge Cases and Tricky Distinctions - The exam may ask: "Who is responsible for ensuring that a virtual machine is patched with the latest security updates?" Answer: The customer (it's in the cloud, not of the cloud). - They might ask: "Which tool provides a compliance score?" Answer: Compliance Manager (not Azure Policy). - They might ask: "Which portal provides audit reports for Azure?" Answer: Service Trust Portal (not Azure Portal).
Memory Trick: 'SCAM' for Compliance Offerings S - SOC (1/2/3) C - C5 (Germany) A - ISO 27001 M - HIPAA, GDPR, FedRAMP, PCI DSS
Decision Tree for Eliminating Wrong Answers - If the question asks about "enforcing" a rule, it's Azure Policy. - If it asks about "audit reports" or "certifications", it's Service Trust Portal. - If it asks about "managing compliance activities" or "score", it's Compliance Manager. - If it asks about "responsibility", think shared responsibility model.
Azure's compliance certifications (ISO 27001, SOC 2, HIPAA, GDPR, FedRAMP, PCI DSS) cover the cloud infrastructure, not customer configurations.
The Service Trust Portal (STP) provides audit reports, compliance guides, and whitepapers; access requires an Azure AD account but no subscription.
Azure Policy enforces compliance rules on resources (e.g., allowed regions, required encryption) and can deny non-compliant resource creation.
Microsoft Purview Compliance Manager offers a compliance score and pre-built assessments for standards like GDPR and NIST.
Data residency refers to the physical location of data; Azure allows you to choose regions and use paired regions within the same geography.
Customer Lockbox requires explicit approval before Microsoft engineers can access your data for support cases.
The shared responsibility model: Microsoft is responsible for compliance of the cloud; customers are responsible for compliance in the cloud.
Not all Azure services are covered by every certification; always check the compliance matrix on the STP.
These come up on the exam all the time. Here's how to tell them apart.
Azure Policy
Focuses on compliance and governance of resource configurations.
Evaluates and enforces rules on resource properties (e.g., allowed locations, required tags).
Uses policy definitions and initiatives to check or enforce conditions.
Effects include Deny, Audit, Append, DeployIfNotExists.
Works at management group, subscription, resource group, or individual resource scope.
Azure Role-Based Access Control (RBAC)
Focuses on managing who has access to resources and what actions they can perform.
Controls permissions via role assignments (e.g., Owner, Contributor, Reader).
Uses role definitions that specify allowed actions (e.g., read, write, delete).
Effects are granting or denying access to operations.
Works at management group, subscription, resource group, or individual resource scope.
Mistake
Azure's compliance certifications automatically make my application compliant.
Correct
Azure's certifications cover the cloud platform itself. You must configure your services correctly (e.g., enable encryption, set access controls) to achieve compliance for your application. Microsoft provides the tools, but you must use them.
Mistake
The Service Trust Portal is only for enterprise customers with paid subscriptions.
Correct
The Service Trust Portal is free and accessible with any Azure AD account (work or school). You do not need an Azure subscription to view audit reports and compliance guides.
Mistake
Azure Policy is only for auditing, not enforcement.
Correct
Azure Policy can both audit and enforce (deny, append, deploy) configurations. For example, you can create a policy that denies creation of resources in unauthorized regions.
Mistake
All Azure services are covered by every compliance certification.
Correct
Each certification covers only specific Azure services. For example, HIPAA eligibility is limited to services listed in the HIPAA compliance matrix on the Service Trust Portal. Always verify coverage.
Mistake
Data residency means my data never leaves the chosen region, even for disaster recovery.
Correct
Azure replicates data to a paired region within the same geography for disaster recovery. However, for most compliance needs, this is acceptable because the paired region is within the same geopolitical boundary. If you need strict data sovereignty, you can use Azure Policy to restrict resources to a single region, but you may lose disaster recovery benefits.
The Service Trust Portal (STP) is a Microsoft-provided portal that contains audit reports, compliance guides, and whitepapers for Azure, Microsoft 365, and other cloud services. You access it at https://servicetrust.microsoft.com. You need an Azure Active Directory account (work or school) to sign in. No Azure subscription is required. The STP is the primary source for verifying Azure's compliance certifications and downloading documents like SOC reports and ISO certificates.
Azure Policy focuses on resource configurations (e.g., ensuring all storage accounts are encrypted), while Azure RBAC focuses on user permissions (e.g., who can create or delete resources). Policy uses rules and effects (Deny, Audit) to enforce compliance; RBAC uses role assignments to grant access. Both are essential for governance, but they serve different purposes. On the exam, if the question mentions 'enforcing a rule on resource properties', think Azure Policy. If it mentions 'controlling who can access', think RBAC.
The shared responsibility model means that Microsoft is responsible for the security and compliance of the cloud infrastructure (physical data centers, hardware, network), while the customer is responsible for security and compliance in the cloud (their data, applications, access management, and configuration). For example, Microsoft ensures that Azure SQL Database is HIPAA-eligible, but you must enable encryption and control who accesses the database. You cannot rely solely on Microsoft's certifications; you must configure your services correctly.
Azure Policy. You can create a policy definition that restricts allowed locations and assign it to a subscription or resource group. The policy will deny creation of resources in any region not on the allowed list. This is commonly used for data residency requirements. For example, to comply with GDPR, you might allow only West Europe and North Europe. Azure Policy can also audit existing resources to find non-compliant ones.
Microsoft Purview Compliance Manager is a tool that helps you manage your compliance posture. It provides pre-built assessments for regulations like GDPR and NIST, a compliance score (0-100%), and actionable improvement actions. It integrates with Azure Policy to automatically detect non-compliant resources. You can assign tasks, upload evidence, and track progress. It is part of the Microsoft Purview compliance portal. For AZ-900, know that it helps you manage and improve compliance, not just report on it.
Customer Lockbox is a service that gives you explicit control over when Microsoft engineers can access your data for support cases. When a support case requires access to your data, you must approve the request before the engineer can proceed. This helps meet compliance requirements that require customer consent for data access. Customer Lockbox is available for certain Azure services and requires a support plan. It is not enabled by default.
Azure allows you to choose the region where your services are deployed, and by default, data stays within that region. However, for disaster recovery, Azure may replicate data to a paired region within the same geography (e.g., US East to US West). If you need strict data residency (no replication outside a specific region), you can use Azure Policy to restrict resources to a single region, but you will lose built-in disaster recovery. Always review the data residency options for each service.
You've just covered Cloud Compliance Concepts — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?