This chapter covers Microsoft 365 privacy features and the Trust Centre, a critical topic for the MS-900 exam (Domain 3: Security, Privacy, Compliance, and Trust; Objective 3.2: Describe privacy features and the Trust Centre). Approximately 10-15% of exam questions relate to privacy, compliance, and trust concepts. You will learn about Microsoft's data protection commitments, the Service Trust Portal, Compliance Manager, audit logs, data retention policies, and how Microsoft handles customer data under GDPR and other regulations.
Jump to a section
Imagine a bank vault that stores sensitive documents. The vault itself is heavily secured—steel walls, alarms, and cameras (encryption and physical security). However, the bank also provides a Trust Centre: a transparent dashboard where customers can see exactly who accessed their safe deposit box, when, and for what purpose. Customers can review audit logs, verify that only authorized personnel entered the vault, and confirm that the bank follows strict privacy policies. The bank publishes independent auditor reports (like SOC 2) to prove its controls are working. If a customer suspects unauthorized access, they can request a detailed access report. The bank cannot modify these logs because they are write-once, read-many (WORM) storage. This mirrors Microsoft's approach: Microsoft 365 provides built-in data encryption at rest and in transit, but the Trust Centre offers transparency through compliance portals, audit logs, and third-party certifications. Customers (organizations) retain ownership of their data and can control access via policies, while Microsoft acts as the custodian—never using customer data for advertising or without explicit consent. The key difference is that unlike a physical vault, Microsoft's controls are software-defined and continuously monitored, with automated alerts for policy violations.
What Are Microsoft 365 Privacy Features and the Trust Centre?
Microsoft 365 is built on a foundation of trust. Privacy features encompass the technical and organizational controls Microsoft implements to protect customer data, including encryption, data residency, data access policies, and auditing. The Trust Centre (now part of the Service Trust Portal) is a centralized resource where Microsoft publishes compliance certifications, audit reports, data protection documentation, and privacy policies. It serves as a single source of truth for customers to verify Microsoft's compliance with standards like ISO 27001, SOC 2, HIPAA, GDPR, and FedRAMP.
Why They Exist
Organizations moving to the cloud need assurance that their data is secure, private, and handled according to legal and regulatory requirements. Microsoft's privacy features and Trust Centre provide transparency and control, enabling customers to:
Understand where their data is stored (data residency).
Control who can access their data.
Audit all access to customer data.
Verify compliance through independent audits.
Respond to data subject requests under GDPR.
How It Works Internally: The Mechanism
Microsoft's privacy model is based on the principle that customer data belongs to the customer. Microsoft does not use customer data for its own purposes (e.g., advertising). At the technical level:
1. Data Encryption - At Rest: All data in Microsoft 365 is encrypted using BitLocker (disk-level encryption) and per-service encryption (e.g., Exchange Online uses BitLocker and service encryption with customer-managed keys via Office 365 Customer Key). - In Transit: Data is encrypted using TLS 1.2+ between client and server, and between Microsoft datacenters.
2. Data Residency - Microsoft stores customer data in specific geographic regions based on tenant location (e.g., EU data stays in EU datacenters). Customers can use Advanced Data Residency add-on to control data storage for specific workloads.
3. Access Controls - Microsoft engineers have no standing access to customer data. Access is granted via Just-In-Time (JIT) and Just-Enough-Access (JEA) principles, requiring approval and logging. All access is audited.
4. Audit Logging - The Unified Audit Log records all user and admin activities across Exchange Online, SharePoint Online, Teams, and other workloads. Logs are retained for 90 days by default (up to 1 year with add-on, or 10 years with Audit (Premium)).
5. Service Trust Portal - Provides documents such as SOC reports, ISO certifications, and Data Protection Impact Assessments (DPIAs). Customers can download these reports to demonstrate compliance to auditors.
6. Compliance Manager - A workflow-based tool that helps organizations assess their compliance posture against regulations like GDPR, HIPAA, and NIST. It provides recommendations and tracks improvement actions.
Key Components, Values, and Defaults
Default Audit Log Retention: 90 days for Exchange, SharePoint, Azure AD; 180 days for Teams; 1 year for Compliance Manager actions.
Customer Lockbox: Requires Microsoft engineer access to customer data to be explicitly approved by the customer. Default: disabled; requires licensing (E5/A5/G5).
Data Loss Prevention (DLP): Scans data at rest and in transit for sensitive information (e.g., credit card numbers, SSNs). Default policies exist for common data types.
Microsoft Priva: Privacy risk management tool (formerly part of Compliance Manager) for automating data subject requests and reducing privacy risks.
GDPR Compliance: Microsoft contracts include the Data Processing Addendum (DPA) that defines data processing terms. Customers are data controllers; Microsoft is data processor.
Configuration and Verification
To access the Service Trust Portal: 1. Log into the Microsoft 365 admin center. 2. Navigate to Settings > Service Trust Portal or directly visit [https://servicetrust.microsoft.com](https://servicetrust.microsoft.com). 3. Download compliance reports (e.g., SOC 2 Type II report) after signing the non-disclosure agreement (NDA).
To enable Customer Lockbox:
Admin center > Settings > Org Settings > Security & Privacy > Customer Lockbox.
Requires global admin role and appropriate license (E5/A5/G5).
To view audit logs:
Compliance center > Audit > Search audit log.
Filter by activity, date, user, etc.
Interaction with Related Technologies
Microsoft Purview Compliance Portal: Central hub for compliance features including audit, DLP, eDiscovery, and records management.
Azure Active Directory: Provides identity-based access control; conditional access policies can restrict access based on location, device, etc.
Information Protection: Sensitivity labels classify and protect data; labels can be automatically applied based on DLP policies.
Microsoft 365 Defender: Integrates threat protection signals; privacy features ensure that security investigations do not expose unnecessary customer data.
Exam-Relevant Details
The Service Trust Portal is where you find compliance reports and certifications.
Customer Lockbox is used to control Microsoft engineer access to your data.
Data retention policies are set in the Compliance portal; default audit log retention is 90 days.
Microsoft does not use customer data for advertising – a key exam point.
GDPR gives data subjects rights (access, rectify, erase, restrict, portability, object). Microsoft provides tools to fulfill these requests.
Compliance Manager assigns a compliance score and provides improvement actions.
Common Exam Traps
Trap: Confusing the Service Trust Portal with the Microsoft 365 admin center. The admin center is for configuration; the Trust Portal is for documentation.
Trap: Thinking Customer Lockbox is enabled by default. It is not; it requires licensing and manual activation.
Trap: Assuming Microsoft has access to customer data at all times. Microsoft has no standing access; all access is JIT and audited.
Trap: Believing that audit logs are retained indefinitely. Default is 90 days; longer retention requires add-on licensing.
Access the Service Trust Portal
Navigate to the Service Trust Portal (https://servicetrust.microsoft.com) or access it via the Microsoft 365 admin center under Settings > Service Trust Portal. You must sign in with a Microsoft 365 account and accept the non-disclosure agreement (NDA) to view certain documents like SOC reports. The portal hosts compliance guides, audit reports, and data protection resources. For the exam, remember that the Trust Portal is the go-to location for independent audit verification.
Review Compliance Reports
In the Service Trust Portal, select 'Audit Reports' to view SOC 2, SOC 3, ISO 27001, FedRAMP, and other certifications. These reports are published by independent auditors and demonstrate Microsoft's compliance with industry standards. You can download PDFs of the reports. The exam may ask where to find SOC reports; the answer is the Service Trust Portal.
Enable Customer Lockbox
In the Microsoft 365 admin center, go to Settings > Org Settings > Security & Privacy > Customer Lockbox. Toggle it on. When enabled, any Microsoft engineer request to access customer data triggers an approval request to a designated customer approver. The request must be approved within 12 hours or it expires. This feature is only available with E5/A5/G5 licenses. The exam tests that Customer Lockbox requires explicit approval.
Configure Audit Logging
In the Microsoft Purview compliance portal, go to Audit > Audit log. Turn on auditing if not already enabled (it is on by default for most tenants). Search for activities like 'User signed in' or 'Admin role assignment'. Audit logs are retained for 90 days by default. For longer retention, you need an add-on subscription (e.g., Microsoft 365 E5). The exam emphasizes the default retention period.
Set Data Retention Policies
In the compliance portal, go to Data Lifecycle Management > Retention policies. Create policies to retain or delete data after a specified period. For example, keep emails for 7 years. Retention policies can be applied to Exchange, SharePoint, OneDrive, and Teams. Note that retention policies override deletion; if a user deletes an email subject to a retention policy, it is preserved in a hidden folder. The exam tests that retention policies take precedence over user deletion.
Enterprise Scenario 1: Healthcare Organization Achieving HIPAA Compliance
A large hospital chain adopts Microsoft 365 for email and collaboration. To comply with HIPAA, they need to ensure that protected health information (PHI) is encrypted and that access is audited. They enable Customer Lockbox to control Microsoft engineer access to PHI. They configure DLP policies to detect PHI (e.g., medical record numbers) and prevent sharing externally. They use Compliance Manager to assess their HIPAA compliance posture and track improvement actions. They download SOC 2 Type II reports from the Service Trust Portal to provide to their auditors. The key challenge is ensuring that all users correctly classify emails and documents with sensitivity labels; misconfiguration can lead to data leaks. Performance-wise, DLP scanning may delay email delivery slightly, but this is acceptable. A common pitfall is failing to enable audit logging for all workloads, which would leave gaps in the audit trail.
Enterprise Scenario 2: Global Corporation Responding to GDPR Data Subject Requests
A multinational company receives a data subject request (DSR) from a customer in the EU to access their personal data. The company uses Microsoft Priva (formerly part of Compliance Manager) to find all personal data across Exchange, SharePoint, and Teams. They use eDiscovery to search for the customer's data and export it. They then provide the data to the customer in a structured format (e.g., JSON). The company also uses data retention policies to automatically delete personal data after the legally required retention period ends. The challenge is that DSRs often require searching across multiple data stores; Microsoft's tools provide a unified search interface. A common mistake is forgetting that data in backups may also need to be included; backup retention policies must align. The exam tests that DSRs are handled via the compliance portal.
Enterprise Scenario 3: Financial Services Firm Meeting Regulatory Audit Requirements
A bank uses Microsoft 365 for communication and needs to retain all emails for 7 years per SEC regulations. They configure a retention policy to keep all Exchange data for 7 years and then delete. They enable audit logging to track all access to sensitive financial data. They use Customer Lockbox to approve any Microsoft engineer access to their tenant. They regularly download SOC reports from the Service Trust Portal to demonstrate controls to regulators. The scale is large: 50,000 users generating millions of emails daily. Retention policies must be tested to ensure they do not accidentally delete data prematurely. A common issue is that users may try to delete emails, but retention policies preserve them in a hidden folder, which can cause confusion. The exam tests that retention policies override user deletions.
Exactly What MS-900 Tests on Privacy and Trust Centre
Objective 3.2: Describe privacy features and the Trust Centre. The exam focuses on: - Service Trust Portal: What it is and what documents it contains (compliance reports, certifications). - Customer Lockbox: Purpose, licensing requirement (E5/A5/G5), and that it requires explicit approval. - Data Retention: Default audit log retention (90 days), retention policies overriding deletion. - GDPR: Data subject rights and Microsoft's role as data processor. - Data Encryption: At rest and in transit. - Microsoft's Privacy Principles: Customer data belongs to customer; no use for advertising.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: 'The Trust Centre is where you configure security policies.' Why: Candidates confuse the Trust Centre (documentation) with the Security & Compliance Centre (configuration). The Trust Centre is read-only documentation. 2. Wrong: 'Customer Lockbox is enabled by default for all Microsoft 365 subscriptions.' Why: Candidates assume all security features are on by default. Customer Lockbox requires manual enablement and E5 licensing. 3. Wrong: 'Audit logs are retained for 1 year by default.' Why: Candidates may think 1 year is the default because some add-ons offer 1 year. The default is 90 days. 4. Wrong: 'Microsoft can access customer data at any time for service improvement.' Why: Candidates may think Microsoft has broad access. In reality, access is JIT and audited, and only with customer approval (if Customer Lockbox enabled).
Specific Numbers and Terms on the Exam
90 days: Default audit log retention.
12 hours: Customer Lockbox approval timeout.
E5/A5/G5: Required licenses for Customer Lockbox and Advanced Audit.
GDPR: Key regulation tested; remember data subject rights (access, rectify, erase, restrict, portability, object).
Service Trust Portal: Exact name; not 'Microsoft Trust Center' (though that is a related website).
Edge Cases and Exceptions
If a user deletes a file that is under a retention policy, the file is preserved in a hidden preservation hold library. The user does not see it, but admins can recover it.
Audit logging must be enabled per user; by default, it is on for all users in most tenants, but some older tenants may have it off.
The Service Trust Portal requires an NDA to view some documents; this is a common exam detail.
How to Eliminate Wrong Answers
If an answer mentions 'configuring' something in the Trust Centre, it is wrong—Trust Centre is for reading reports.
If an answer says Microsoft can access data without permission, it is wrong—Customer Lockbox or JIT access requires approval.
If an answer gives a retention period other than 90 days (default) for audit logs, it is likely wrong unless it specifies an add-on.
The Service Trust Portal (servicetrust.microsoft.com) is the central location for compliance reports and certifications.
Customer Lockbox requires E5/A5/G5 licensing and must be manually enabled; it forces Microsoft engineers to obtain explicit approval before accessing customer data.
Default audit log retention is 90 days; longer retention (up to 10 years) requires add-on licensing.
Microsoft does not use customer data for advertising; customer data belongs to the customer.
Data retention policies override user deletion; deleted items are preserved if a retention policy applies.
GDPR grants data subjects six rights: access, rectify, erase, restrict processing, data portability, and object.
Compliance Manager provides a compliance score and recommended improvement actions.
These come up on the exam all the time. Here's how to tell them apart.
Service Trust Portal
Read-only repository of compliance reports (SOC, ISO, FedRAMP).
No configuration capabilities.
Requires NDA to view some documents.
Documents are published by Microsoft and third-party auditors.
Used for auditing and due diligence.
Microsoft Purview Compliance Portal
Configuration center for compliance features (DLP, retention, audit).
Active management of policies and alerts.
No NDA required for basic access.
Tools are used to manage compliance posture (e.g., Compliance Manager).
Used for daily compliance operations.
Mistake
The Service Trust Portal is where you configure compliance settings.
Correct
The Service Trust Portal is a documentation library for compliance reports and certifications. Configuration is done in the Microsoft Purview compliance portal or admin center.
Mistake
Customer Lockbox is enabled by default for all tenants.
Correct
Customer Lockbox is not enabled by default. It requires manual activation and an E5/A5/G5 license. Without it, Microsoft engineers can still access data under strict JIT controls but without customer approval.
Mistake
Microsoft uses customer data for advertising purposes.
Correct
Microsoft explicitly states it does not use customer data for advertising. This is a key privacy commitment and a common exam point.
Mistake
Audit logs are retained for 1 year by default.
Correct
Default retention is 90 days for most audit logs. 1-year retention requires an add-on subscription (e.g., Microsoft 365 E5).
Mistake
Data retention policies can be bypassed by users deleting items.
Correct
Retention policies override user deletion. When a retention policy applies, deleted items are preserved in a hidden location (e.g., Preservation Hold library in SharePoint).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Service Trust Portal (STP) is a customer-facing portal that provides detailed compliance reports, audit documentation, and data protection resources specific to Microsoft 365 and Azure. The Microsoft Trust Center (https://www.microsoft.com/trust-center) is a public website that provides general information about Microsoft's security, privacy, and compliance practices. For the MS-900 exam, focus on the STP as the source of downloadable compliance reports.
You need a Microsoft 365 E5, A5, or G5 license. Then, in the admin center, go to Settings > Org Settings > Security & Privacy > Customer Lockbox. Toggle the setting to On. You can designate approvers who will receive email notifications when Microsoft engineers request access. The request must be approved within 12 hours or it expires. This feature is not available in E3 or lower plans.
The default retention period is 90 days for most audit log entries (Exchange, SharePoint, Azure AD). Some workloads like Teams have 180 days. With an add-on like Microsoft 365 E5 or the Audit (Premium) add-on, you can retain logs for up to 1 year (or 10 years for specific activities). The exam tests the 90-day default.
Microsoft engineers have no standing access to customer data. All access is governed by Just-In-Time (JIT) and Just-Enough-Access (JEA) principles. If Customer Lockbox is enabled, any access request must be explicitly approved by a customer-designated approver. Even without Customer Lockbox, all access is logged and audited. Microsoft cannot use customer data for its own purposes.
Microsoft provides tools to help customers meet GDPR obligations: Compliance Manager to assess compliance, data retention policies to manage data lifecycle, eDiscovery to find personal data, and Data Subject Request tools to respond to access, deletion, and portability requests. Microsoft also publishes Data Protection Impact Assessments (DPIAs) and signs a Data Processing Addendum (DPA) with customers.
Compliance Manager is a workflow-based tool in the Microsoft Purview compliance portal that helps organizations assess their compliance posture against various regulations (GDPR, HIPAA, NIST, etc.). It provides a compliance score, lists improvement actions with detailed guidance, and allows you to assign tasks to team members. It also supports automated testing of controls.
SOC 2 Type II reports are available in the Service Trust Portal under 'Audit Reports'. You must sign in with a Microsoft 365 account and accept the non-disclosure agreement (NDA) to download them. These reports are published by independent auditors and are a key resource for demonstrating Microsoft's operational controls.
You've just covered Microsoft 365 Privacy Features and Trust Centre — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?