This chapter covers the Service Trust Portal (STP), a critical resource for understanding Microsoft's compliance, security, and privacy practices. For the SC-900 exam, the STP is a key component of Compliance Solutions (Domain 4), specifically objective 4.4. Expect 1-2 questions that test your knowledge of the STP's purpose, key documents, access requirements, and how it differs from other compliance portals. Mastering the STP will help you answer questions about where to find audit reports, how to sign NDAs, and which documents are publicly available.
Jump to a section
Imagine you are a security auditor for a large corporation, and you need to verify that your cloud service provider meets strict compliance standards like ISO 27001 or SOC 2. The Service Trust Portal (STP) is like a giant, well-organized library that houses all the official audit reports, compliance guides, and security white papers for Microsoft's cloud services. Just as a library has a catalog system to find books, the STP uses a search and filter interface to locate specific documents. When you request a document, the library (STP) provides a digital copy that you can download, but some documents are only available after you sign a non-disclosure agreement (NDA) — like a restricted section of the library. The library also has a 'current reading room' where you can see the latest editions of frequently updated reports. Importantly, the library is publicly accessible to anyone, but to view certain confidential documents, you must prove your identity (Azure AD credentials) and agree to keep the information private. The library's staff (Microsoft) ensures all documents are up-to-date and removes outdated versions. This library is the single source of truth for compliance documentation, so you don't have to hunt through multiple websites or contact support for each report.
What is the Service Trust Portal?
The Service Trust Portal (STP) is a Microsoft-provided web portal that serves as a central repository for compliance, security, privacy, and trust-related documentation for Microsoft cloud services, including Azure, Microsoft 365, Dynamics 365, and Power Platform. It is designed to help customers understand Microsoft's compliance posture, audit their own compliance obligations, and meet regulatory requirements. The STP is publicly accessible at https://servicetrust.microsoft.com, but some content requires authentication and acceptance of a non-disclosure agreement (NDA).
Why Does the STP Exist?
Organizations that use Microsoft cloud services must often demonstrate compliance with industry standards and regulations, such as ISO 27001, SOC 1/2/3, FedRAMP, HIPAA, GDPR, and others. Rather than each customer independently auditing Microsoft, Microsoft undergoes third-party audits and publishes the results on the STP. This reduces the burden on both parties and provides a single source of truth for compliance documentation. The STP also includes resources like compliance guides, white papers, and tools (e.g., Compliance Score) to help customers assess their own compliance.
Key Documents and Resources on the STP
The STP hosts a wide variety of documents, which can be categorized as follows:
Audit Reports: These are third-party audit reports, such as SOC 1, SOC 2, SOC 3, ISO 27001/27002/27017/27018, FedRAMP Package, and more. These reports are typically available for download after signing an NDA.
Certifications: Documents that list Microsoft's certifications and attestations for various services.
Compliance Guides: Detailed guidance on how Microsoft services help customers meet specific compliance requirements (e.g., GDPR compliance guide, HIPAA compliance guide).
Whitepapers: Technical papers on security, privacy, and compliance topics, such as data encryption, data residency, and incident response.
FAQs and Overviews: High-level summaries of compliance programs and trust principles.
Tools: The Compliance Score tool (now part of Microsoft Purview Compliance Manager) was originally accessible via the STP, but it has been migrated to the Microsoft 365 compliance center. However, the STP still provides links to Compliance Manager.
Regional and Industry-Specific Documents: For example, UK Government Cloud (G-Cloud) documents, Australia IRAP reports, and more.
Accessing the STP and NDA Requirements
The STP is divided into two access levels:
Public Content: Anyone can browse the STP and view some content without authentication. This includes overviews, some whitepapers, and the list of certifications. However, most audit reports are not available publicly.
NDA-Protected Content: To access audit reports and other sensitive documents, you must sign a non-disclosure agreement (NDA) with Microsoft. This requires:
An Azure Active Directory (Azure AD) account (work or school account).
Acceptance of the Microsoft NDA (once per tenant).
For some documents, additional role-based access or specific agreements may be required.
The NDA is a legal agreement that prohibits you from sharing the contents of the documents with unauthorized parties. Once signed, it applies to all users in the same Azure AD tenant. The NDA is typically signed by a tenant administrator, but individual users may need to accept it as well.
How to Navigate the STP
The STP interface has several main sections:
Home: Provides links to popular documents, recent updates, and featured content.
Audit Reports: A library of audit reports organized by service (e.g., Azure, Microsoft 365) and standard (e.g., SOC, ISO). You can filter by date, service, and certification.
Compliance Guides: Searchable guides for specific regulations.
Certifications: A list of Microsoft's certifications with links to the corresponding audit reports.
Resources: Additional whitepapers, FAQs, and tools.
My Library: A personalized area where you can save documents for easy access.
Search functionality is available, and you can filter by document type, service, and date. The STP also provides RSS feeds for updates.
Document Download and Retention
Documents on the STP are typically available in PDF format. Some documents are updated regularly (e.g., SOC reports are often issued annually). Microsoft provides a history of previous versions, but only the latest version is highlighted. When you download a document, it is usually timestamped with the date of publication. There is no limit on downloads, but you must comply with the NDA terms.
Integration with Other Microsoft Compliance Tools
The STP is closely integrated with the Microsoft Purview compliance portal. For example:
Compliance Manager: Originally a tool within the STP, now part of Microsoft Purview. It helps customers track their compliance posture and map controls to Microsoft's responsibilities.
Microsoft 365 compliance center: Provides access to Compliance Manager and other compliance features, with links to relevant STP documents.
Azure Security Center / Microsoft Defender for Cloud: While these focus on security, they may reference STP documents for compliance evidence.
Regional and Sovereign Clouds
The STP also provides content specific to sovereign clouds, such as: - Microsoft Cloud for US Government (GCC, GCC High, DoD) - Microsoft Cloud Germany (now deprecated) - Microsoft Cloud for China (operated by 21Vianet)
Each sovereign cloud has its own STP page or separate documentation due to different compliance requirements.
Updates and Notifications
Microsoft regularly updates the STP with new reports and documents. You can subscribe to RSS feeds or check the "What's New" section to stay informed. The STP also includes a release calendar for upcoming reports.
Limitations and Considerations
The STP does not provide real-time compliance data; it is a repository of static documents.
Some documents may be available only in English, though regional documents are translated.
Access to certain documents may require additional approvals beyond the NDA (e.g., for FedRAMP packages, you may need to be a US government customer).
The STP is not a compliance automation tool; it is a document library.
Exam Relevance for SC-900
For the SC-900 exam, you need to know:
The purpose of the STP: a central location for Microsoft's compliance documentation.
Key documents: audit reports (SOC, ISO), compliance guides, certifications.
Access requirements: public vs. NDA-protected content.
How the STP relates to Compliance Manager (now in Purview).
That the STP is available at https://servicetrust.microsoft.com.
That signing an NDA is required for most audit reports.
That the STP covers Azure, Microsoft 365, Dynamics 365, and Power Platform.
Common Exam Traps
Trap: Thinking that the STP provides real-time compliance monitoring. Reality: It provides static documents.
Trap: Believing that all content is publicly available. Reality: Most audit reports require an NDA.
Trap: Confusing the STP with the Microsoft 365 compliance center or Azure Security Center. Reality: The STP is specifically for compliance documentation, while the compliance center is for managing compliance posture.
Trap: Assuming the STP is only for Azure. Reality: It covers all major Microsoft cloud services.
How to Verify Access
To verify that you have access to NDA-protected content, you can: 1. Go to https://servicetrust.microsoft.com. 2. Click on "Audit Reports" or "Compliance Guides." 3. If you are not signed in, you will be prompted to sign in with your Azure AD account. 4. If you have not accepted the NDA, you will be asked to review and accept it. 5. After acceptance, you can download documents.
There is no command-line interface for the STP; it is a web-based portal.
Step-by-Step Access Process
Navigate to the STP: Open a web browser and go to https://servicetrust.microsoft.com.
Sign In: Click "Sign In" in the top-right corner and authenticate using your Azure AD credentials (work or school account).
Accept the NDA: If prompted, read and accept the Microsoft NDA. This is a one-time acceptance per tenant. The NDA text is displayed, and you must click "Agree" to proceed.
Browse Documents: Use the menu to select "Audit Reports" or "Compliance Guides." Use filters to narrow down by service (e.g., Azure) or certification (e.g., SOC 2).
Download a Document: Click on the document name to open its details page. Then click "Download" to save the PDF. Some documents may require additional permission if they are restricted to specific customer types.
Use My Library: To save documents for later, click the bookmark icon to add them to "My Library."
Check for Updates: Visit the "What's New" section or subscribe to RSS feeds to stay informed about new documents.
Key Values and Defaults
STP URL: https://servicetrust.microsoft.com
NDA: Required for most audit reports; accepted per Azure AD tenant.
Document Formats: Primarily PDF.
Update Frequency: Varies; SOC reports are typically annual, while some guides are updated more frequently.
Supported Services: Azure, Microsoft 365, Dynamics 365, Power Platform, and sovereign clouds.
Languages: Primarily English, with some regional documents in local languages.
Related Technologies
Microsoft Purview Compliance Manager: Provides a dashboard for managing compliance activities and maps to STP documents.
Microsoft 365 compliance center: Offers compliance solutions like data loss prevention (DLP), information protection, and eDiscovery, with links to STP.
Azure Policy / Azure Blueprints: Used to enforce compliance at the Azure resource level, referencing STP documents for baseline controls.
Summary
The Service Trust Portal is an essential resource for anyone needing to verify Microsoft's compliance with industry standards. It provides a centralized library of audit reports, certifications, and compliance guides. Understanding its access requirements and document types is crucial for the SC-900 exam.
Navigate to the STP URL
Open a web browser and go to https://servicetrust.microsoft.com. The portal is publicly accessible, but most valuable content requires authentication. If you are not signed in, you will see a limited set of public documents. This step is the entry point for all users.
Authenticate with Azure AD
Click the 'Sign In' button in the top-right corner. You must use a work or school account (Azure AD account). Personal Microsoft accounts (e.g., Outlook.com) are not supported. After successful authentication, the portal recognizes your tenant and checks whether the NDA has been accepted.
Accept the Non-Disclosure Agreement
If your tenant has not yet accepted the Microsoft NDA, you will be prompted to review and agree to it. The NDA is a legal contract that prohibits sharing the contents of audit reports with unauthorized parties. Acceptance is per tenant and applies to all users in that tenant. Once accepted, you can download NDA-protected documents.
Browse or Search for Documents
Use the menu options (e.g., Audit Reports, Compliance Guides) to find documents. You can filter by service (Azure, Microsoft 365, etc.) and certification (SOC, ISO, etc.). The search bar allows keyword searches. The portal displays a list of documents with titles, dates, and descriptions.
Download a Document
Click on a document title to open its details page. Review the description and publication date. Then click the 'Download' button. The document is typically a PDF file. Some documents may require additional permissions (e.g., FedRAMP packages might require US government affiliation). The download is saved locally.
Enterprise Scenario 1: SOC 2 Audit Preparation
A financial services company must provide evidence of their cloud provider's SOC 2 compliance to their own auditors. The company's compliance officer navigates to the STP, signs in with their Azure AD account, and accepts the NDA. They filter for "SOC 2" and "Azure" and download the latest SOC 2 Type II report. This report contains the independent auditor's opinion on Microsoft's controls. The officer then shares the report with their external auditor under the terms of the NDA. Without the STP, the company would have to request the report directly from Microsoft, which could take days. The STP provides instant access, but the officer must ensure they have the correct version and that the report covers the relevant service period.
Enterprise Scenario 2: GDPR Compliance Documentation
A multinational corporation needs to demonstrate that Microsoft 365 meets GDPR requirements. The privacy team uses the STP to find the GDPR compliance guide and the Data Protection Addendum (DPA). They also download the ISO 27001 audit report to show that Microsoft has a certified information security management system. The team saves these documents to their My Library for easy reference during internal audits. They also subscribe to the STP RSS feed to receive notifications when new versions of the DPA are published. A common misconfiguration is failing to check the document's date — using an outdated DPA could lead to non-compliance.
Scenario 3: FedRAMP Authorization for Government Customers
A US federal agency requires FedRAMP authorization for Azure Government. The agency's security team accesses the STP and navigates to the FedRAMP section. They find the Azure Government FedRAMP Package, which includes the System Security Plan (SSP), Security Assessment Report (SAR), and other artifacts. However, these documents are restricted to authorized US government customers. The team must have a specific Azure AD account that is part of a tenant that meets the eligibility criteria. If they are not eligible, they must contact Microsoft to request access. This scenario highlights that not all STP content is available to every customer; some documents have additional access controls.
Common Issues and Troubleshooting
NDA Not Accepted: Users may see a message that they cannot download certain documents. The solution is to have an administrator accept the NDA on behalf of the tenant.
Wrong Account Type: Personal accounts (e.g., @outlook.com) cannot access the STP. Users must use their work or school account.
Document Not Found: If a specific report is not listed, it may not yet be published or may have been removed. Check the "What's New" section or contact Microsoft support.
Permission Denied: Some documents require additional roles (e.g., Compliance Administrator) or specific agreements. Verify with the tenant administrator.
Performance and Scale
The STP is a web application hosted by Microsoft and is designed to handle high traffic. There are no performance issues for typical usage. However, downloading large documents (e.g., FedRAMP packages can be hundreds of pages) is straightforward. The portal does not impose download limits, but users should respect the NDA terms.
What SC-900 Tests on the Service Trust Portal
The SC-900 exam objective 4.4 focuses on "Describe the compliance management capabilities in Microsoft Purview." The STP is a key component. Specifically, you need to understand: - Purpose: Central repository for Microsoft's compliance documentation. - Content Types: Audit reports (SOC, ISO, FedRAMP), compliance guides, certifications, whitepapers. - Access: Public vs. NDA-protected; authentication with Azure AD; NDA acceptance per tenant. - Services Covered: Azure, Microsoft 365, Dynamics 365, Power Platform. - Related Tools: Compliance Manager (now in Purview) uses STP documents.
Common Wrong Answers and Why Candidates Choose Them
"The STP provides real-time compliance monitoring." Candidates confuse the STP with Compliance Manager or Azure Security Center. The STP only hosts static documents.
"All documents on the STP are publicly available." Many candidates assume that because the portal is public, all content is public. In reality, most audit reports require an NDA.
"The STP is only for Azure." Candidates forget that it covers Microsoft 365, Dynamics 365, and Power Platform as well.
"You need an Azure subscription to access the STP." No subscription is needed; only an Azure AD account (work or school) is required.
Specific Numbers and Terms That Appear on the Exam
URL: https://servicetrust.microsoft.com (exact URL may be tested).
NDA: Non-disclosure agreement required for audit reports.
Azure AD: Required for authentication.
SOC, ISO, FedRAMP: Common audit report types.
Compliance Manager: Tool that uses STP documents (formerly part of STP).
Edge Cases and Exceptions
Sovereign Clouds: STP has separate content for government clouds (GCC, GCC High, DoD) and China (21Vianet).
Role-Based Access: Some documents require specific roles (e.g., Compliance Administrator).
Regional Documents: Some documents are only available in certain languages or for specific regions.
How to Eliminate Wrong Answers
If the question asks where to find audit reports, eliminate options that mention real-time monitoring, security alerts, or subscription requirements.
If the question mentions NDA, look for the STP or Compliance Manager.
If the question is about compliance documentation for Microsoft 365, remember that the STP covers it, not just Azure.
For access questions, remember that an Azure AD account is needed, not a subscription.
The Service Trust Portal (STP) is a central repository for Microsoft's compliance documentation, including audit reports, certifications, and compliance guides.
STP URL: https://servicetrust.microsoft.com (memorize for exam).
Access to most audit reports requires an Azure AD account and acceptance of a non-disclosure agreement (NDA).
The STP covers Azure, Microsoft 365, Dynamics 365, and Power Platform.
Documents are static; the STP does not provide real-time compliance monitoring.
The NDA is accepted per Azure AD tenant and applies to all users in that tenant.
Compliance Manager (in Microsoft Purview) uses STP documents to help customers assess compliance.
Sovereign clouds (e.g., GCC, DoD) have separate STP content.
These come up on the exam all the time. Here's how to tell them apart.
Service Trust Portal (STP)
Central repository for compliance documents (audit reports, guides).
Provides static documents that are updated periodically.
Requires NDA for most audit reports.
Accessed via https://servicetrust.microsoft.com.
No built-in compliance scoring or action tracking.
Microsoft Purview Compliance Manager
Tool for managing compliance posture and tracking actions.
Provides dynamic compliance score and recommendations.
Does not require NDA for its own interface (but uses STP documents).
Accessed via Microsoft Purview compliance portal.
Allows assignment of tasks and assessment of controls.
Mistake
The Service Trust Portal provides real-time compliance data.
Correct
The STP hosts static documents (audit reports, guides) that are updated periodically (e.g., annually). It does not provide real-time monitoring or dynamic compliance status.
Mistake
All content on the Service Trust Portal is publicly accessible without authentication.
Correct
While the portal is public, most audit reports require you to sign in with an Azure AD account and accept a non-disclosure agreement (NDA) before downloading.
Mistake
The Service Trust Portal only covers Azure services.
Correct
The STP covers Azure, Microsoft 365, Dynamics 365, Power Platform, and sovereign clouds. It is not limited to Azure.
Mistake
You need a paid Azure subscription to access the Service Trust Portal.
Correct
No subscription is required. You only need an Azure AD account (work or school account) to sign in. The portal is free to access.
Mistake
The Service Trust Portal is the same as the Microsoft 365 compliance center.
Correct
The STP is a separate portal focused on compliance documentation. The Microsoft 365 compliance center provides tools for managing compliance (e.g., Compliance Manager, DLP) and links to STP documents.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Service Trust Portal is used to access Microsoft's compliance documentation, such as audit reports (SOC, ISO, FedRAMP), compliance guides, and certifications. It helps customers verify Microsoft's compliance with industry standards and regulations. For SC-900, remember that it is a document library, not a real-time monitoring tool.
No, you do not need a subscription. You only need an Azure AD account (work or school account) to sign in. The portal is free to access. However, some documents may require additional permissions (e.g., FedRAMP packages for government customers).
The Service Trust Portal is a repository of static compliance documents. Compliance Manager (part of Microsoft Purview) is a tool that helps you manage your compliance posture by providing a compliance score, assessments, and actionable recommendations. Compliance Manager references documents from the STP.
The STP hosts audit reports (SOC 1/2/3, ISO 27001, FedRAMP, etc.), compliance guides (GDPR, HIPAA, etc.), certifications, whitepapers, FAQs, and tools like Compliance Score (now in Purview). Most audit reports require an NDA.
When you sign in to the STP with your Azure AD account and try to access an NDA-protected document, you will be prompted to review and accept the Microsoft NDA. This is a one-time acceptance per tenant. After acceptance, all users in that tenant can download NDA-protected documents.
The STP covers all major Microsoft cloud services, including Azure, Microsoft 365, Dynamics 365, and Power Platform. It also includes content for sovereign clouds like Microsoft Cloud for US Government and Microsoft Cloud for China.
No, the STP only provides static documents that are updated periodically (e.g., SOC reports are typically annual). For real-time compliance monitoring, you would use other tools like Microsoft Purview Compliance Manager or Azure Policy.
You've just covered Service Trust Portal — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?