# Service Trust Portal

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/service-trust-portal

## Quick definition

The Service Trust Portal is a central online hub where you can find official documents about how Microsoft meets security and compliance standards. It includes audit reports, data protection agreements, and guides for using Microsoft cloud services in regulated industries. You do not need to be a security expert to use it, but you do need a Microsoft account and access to the portal. The portal helps organizations prove to auditors that they are using Microsoft services responsibly.

## Simple meaning

Think of the Service Trust Portal as a giant library of trustworthiness documents for Microsoft cloud services like Azure, Microsoft 365, and Dynamics 365. Imagine you are a building inspector who needs to check whether a skyscraper is safe. You cannot just take the builder's word for it. You need blueprints, safety certificates, inspection logs, and test results from independent experts. The Service Trust Portal is where Microsoft puts all that paperwork in one organized place.

When a company uses Microsoft cloud services, they need to prove to their own auditors and regulators that the services are secure. For example, a hospital that stores patient health records in the cloud must show that the cloud service meets healthcare privacy laws. Instead of each company asking Microsoft for these documents individually, Microsoft puts everything on the Service Trust Portal. You can find audit reports from third-party firms, data protection agreements, privacy white papers, and step-by-step guides on how to configure services to meet specific compliance standards.

The portal is organized by service and by compliance framework. You can look up documents for Azure, Microsoft 365, Dynamics 365, and other Microsoft online services. You can also filter by regulation type, such as ISO 27001, SOC 2, HIPAA, GDPR, or FedRAMP. Each document explains what Microsoft does to protect data and how you, as a customer, can check those claims. The portal also includes a feature called Compliance Manager, which helps you assess your own compliance posture and track improvement actions.

For IT certification learners, the Service Trust Portal is important because it demonstrates how cloud providers share accountability with customers. Knowing where to find and how to read these documents is a practical skill for anyone working with Microsoft cloud environments. It shows that security and compliance are not just about technical controls but also about transparency and documentation.

## Technical definition

The Service Trust Portal (STP) is a Microsoft-hosted web portal that provides a centralized repository of compliance and security documentation for Microsoft cloud services, including Azure, Microsoft 365, Dynamics 365, and Power Platform. It is part of the Microsoft Trust Center and is accessible to authenticated Microsoft Entra ID (formerly Azure Active Directory) users who have been granted explicit access permissions by their organization's tenant administrator.

The STP is structured around several key content types. Audit reports are third-party independent assessments against standards such as ISO 27001, SOC 1/2/3, FedRAMP, and the CSA STAR Registry. These reports include certification letters, audit scopes, and control matrices. Data protection resources include Data Protection Addenda (DPA), breach notification terms, data subject request guides, and data residency disclosures. Compliance guides offer whitepapers and deployment recommendations for aligning Microsoft services with regulations like GDPR, HIPAA, and PCI DSS. The Service Trust Portal also hosts the Compliance Manager tool, which is a workflow-based risk assessment dashboard that maps Microsoft controls to customer responsibilities.

From an implementation perspective, the STP uses role-based access control (RBAC) within Microsoft Entra ID. Only users with the Compliance Administrator, Security Administrator, or Global Administrator roles can view certain restricted documents. Some content, such as audit reports, may also require signing a non-disclosure agreement (NDA) before download. The portal itself is built on Microsoft's public cloud infrastructure and uses TLS 1.2 or higher for data in transit. Authentication is handled through OAuth 2.0 and OpenID Connect protocols.

The STP is not a monitoring or real-time compliance tool. It is a static document repository with periodic updates. For example, SOC reports are typically updated annually, while ISO certificates are reissued every three years. The portal maintains version history for key documents. The Compliance Manager tool, however, does include dynamic assessments that can track progress over time.

For IT professionals, the STP is an essential resource during vendor risk assessments, internal and external audits, and compliance certifications. It allows a company's compliance officer or IT auditor to download official evidence that Microsoft has implemented required controls. The portal also provides guidance on the Shared Responsibility Model, clarifying which security controls are managed by Microsoft and which remain the customer's obligation. Understanding how to navigate the STP and interpret its documents is a practical skill that appears in several Microsoft certification exams, including AZ-900, SC-900, and MS-900.

## Real-life example

Imagine you are renting an apartment in a large building. The landlord tells you that the building is safe, the wiring is up to code, and the fire alarms are tested regularly. But you are a cautious person. You do not just trust their word. You ask for proof. You want to see the fire inspection certificate from the city fire department. You want to read the annual electrical safety report from a licensed electrician. You want a written guarantee that your security deposit is held in a separate account. In this analogy, you are the customer or auditor, the landlord is Microsoft, and the building is the cloud service.

The Service Trust Portal is like a locked filing cabinet in the building manager's office that contains all those official documents. The landlord gives you a key (your Microsoft account and appropriate permissions), and you can go in and browse the papers anytime. You find the fire inspection report (the SOC 2 audit), the electrical safety certificate (the ISO 27001 certification), and the rental agreement addendum that covers your specific state's tenant laws (the Data Protection Addendum for GDPR). You can photocopy any document and show it to your own bank or insurance company (your internal auditors or regulators) to prove that the building is safe to rent from.

Now suppose you need to move your dental practice into the building. Dentists have strict privacy laws about patient records. You need to check whether the landlord's security policies meet those legal requirements. The filing cabinet has a special section just for healthcare tenants with documents on how the landlord handles sensitive information. You can also find a checklist that helps you figure out what additional locks you need to install on your own office door. That checklist is the Compliance Manager tool. It does not automatically secure your office, but it shows you what steps the landlord already took and what steps you still need to take yourself.

This analogy maps directly to the IT concept. The Service Trust Portal gives Microsoft's customers the evidence they need to trust the cloud and to satisfy their own auditors. Just as you rely on independent inspectors to verify a building's safety, companies rely on independent third-party audits hosted on the STP to verify Microsoft's security claims.

## Why it matters

The Service Trust Portal matters because security and compliance are not just about technology, they are about trust and evidence. When a company moves its data to a cloud provider, it is essentially outsourcing security controls to that provider. But the company remains legally responsible for protecting that data. This creates a need for verifiable proof that the cloud provider is doing what it promises. The Service Trust Portal is the mechanism that provides that proof.

For IT professionals, the STP is a practical tool used in everyday work. When an auditor asks for evidence of data protection controls, the IT team does not need to call Microsoft and wait for a salesperson to email a PDF. They can log into the STP, download the latest SOC report, and hand it directly to the auditor. This saves time and reduces friction during audits. It also demonstrates due diligence, which is a legal concept that helps protect the company from liability.

The STP also helps organizations avoid costly compliance mistakes. For example, a company might assume that because Microsoft is ISO 27001 certified, all of the company's own workloads are automatically compliant. That is not true. The Shared Responsibility Model means the customer must still configure their own settings. The STP provides detailed guidance on exactly what the customer needs to do. A healthcare organization can find specific instructions on configuring Azure SQL Database to meet HIPAA requirements. Without the STP, finding that information would require digging through scattered documentation or paying for external consultants.

Another reason the STP matters is that it is a required resource for many industry compliance frameworks. For example, organizations that need to achieve SOC 2 certification must demonstrate that they evaluate their subservice organizations (like Microsoft) on an ongoing basis. Using the STP to download and review Microsoft's SOC reports is a standard way to fulfill that requirement. Similarly, under GDPR, data controllers must ensure their processors have adequate safeguards. The STP provides the Data Protection Addendum and a list of Microsoft's sub-processors, which are both required for GDPR compliance.

For certification learners, understanding the STP shows that you know how to bridge the gap between technical configurations and business compliance requirements. It is a practical skill that hiring managers value because it directly impacts an organization's ability to sell to regulated industries, pass audits, and avoid fines.

## Why it matters in exams

The Service Trust Portal appears most prominently in Microsoft role-based certification exams, particularly in the Fundamentals and Administrator levels. For the Azure Fundamentals exam (AZ-900), questions about the STP usually fall under the 'Describe Identity, Governance, Privacy, and Compliance' domain, specifically the objective on the Microsoft Trust Center and the Service Trust Portal. Learners can expect one or two multiple-choice questions that ask what the STP is used for or where to find specific audit reports. These are usually straightforward, but the incorrect answer choices often include plausible-sounding but wrong alternatives like 'Azure Portal' or 'Microsoft 365 admin center'.

In the Microsoft Security, Compliance, and Identity Fundamentals (SC-900) exam, the STP is more heavily tested. This exam includes objectives on compliance management capabilities in Microsoft 365, and the STP is a key tool for accessing compliance documentation. Expect scenario-based questions where a compliance officer needs to download a SOC 2 Type II report for an external auditor. The correct answer would be Service Trust Portal, while distractors might include the Azure Active Directory admin center, the Microsoft 365 Defender portal, or the Purview compliance portal.

The Microsoft 365 Fundamentals (MS-900) exam also covers the STP, but more lightly. It appears in the section on compliance and privacy features. Learners should be able to differentiate the STP from the Microsoft 365 compliance center and the Microsoft Trust Center. The Trust Center is a broader website with general information, while the STP is the document repository. Another common exam trick is asking which portal is used to sign an NDA before viewing certain audit reports. The answer is always the Service Trust Portal.

For more advanced exams like the Azure Security Engineer (AZ-500) or Microsoft 365 Security Administrator (MS-500), the STP is less likely to appear as a standalone question, but it may be referenced in broader compliance scenarios. For example, a question might describe a situation where an organization is preparing for a GDPR audit and needs to show evidence of data processing agreements. The correct response might involve accessing the STP to retrieve the Data Protection Addendum.

General IT certifications like CompTIA Security+ or CISSP do not test the Service Trust Portal directly by name, because it is a Microsoft-specific tool. However, these exams cover the underlying concepts of third-party audit reports, Service Organization Controls (SOC), and evidence-based compliance. A well-rounded learner will recognize the STP as a real-world implementation of those broader concepts. In any exam where Microsoft cloud services are discussed, knowing the purpose and location of the Service Trust Portal is a clear point-scoring opportunity.

## How it appears in exam questions

Exam questions about the Service Trust Portal typically fall into three categories: tool identification, scenario-based document retrieval, and differentiation from other portals.

Tool identification questions are the most common at the fundamentals level. A typical question might ask: 'An organization needs to download a SOC 2 Type II report for their Azure environment. Which portal should they use?' The answer is the Service Trust Portal. Distractors often include the Azure portal, the Microsoft 365 admin center, and the Azure Active Directory admin center. The trick is that the Azure portal is for managing resources, not for compliance documentation. The Service Trust Portal is separate from both.

Scenario-based questions provide a short business context and ask you to select the right tool or action. For example: 'A compliance officer at a healthcare organization needs to provide proof to an auditor that Microsoft 365 meets HIPAA requirements. The officer must also sign a non-disclosure agreement before viewing certain documents. What should the officer do?' The correct answer involves logging into the Service Trust Portal, reviewing the HIPAA compliance guide, and completing the NDA process within the portal. These questions test your understanding of the workflow, not just the name of the portal.

Another common question type asks you to differentiate between the Service Trust Portal and the Microsoft Trust Center. The Trust Center is a public-facing website with general security and compliance information, while the STP is the authenticated portal where you can download actual documents. A question might state: 'A sales representative wants to share a high-level overview of Microsoft's security principles with a potential customer. Which resource should they use?' The answer is the Microsoft Trust Center, not the STP, because the STP requires authentication and contains confidential audit reports.

Some questions test your knowledge of the Compliance Manager tool, which is part of the STP. For example: 'You need to assess your organization's compliance posture against the GDPR framework and track improvement actions over time. Which tool within the Service Trust Portal should you use?' The answer is Compliance Manager. Incorrect answers might include Azure Policy or Microsoft Defender for Cloud.

Less common but still possible are questions about the types of documents found in the STP. You might be asked which of the following is NOT available in the Service Trust Portal: a) SOC 2 audit report, b) Data Protection Addendum, c) Azure pricing calculator, or d) ISO 27001 certificate. The Azure pricing calculator is obviously incorrect. These questions require you to remember the specific content categories of the STP.

## Example scenario

Scenario: You work as an IT support specialist for a midsize financial services company called NorthStar Finance. The company uses Microsoft 365 for email, document storage, and collaboration. Your compliance team is preparing for an annual SOC 2 audit, and the external auditor has asked for evidence that NorthStar's cloud provider, Microsoft, has adequate security controls in place. Your manager asks you to find the relevant documentation.

You remember from your AZ-900 studies that there is a portal called the Service Trust Portal where Microsoft publishes audit reports. You log in using your work Microsoft account. Since you are not a Global Administrator, you see only the publicly available documents at first. Your manager gives you a temporary role that allows access to the confidential audit reports after you sign a nondisclosure agreement digitally within the portal.

You navigate to the 'Audit Reports' section and filter by Microsoft 365. You find the latest SOC 2 Type II report, which covers the period of the past twelve months. You download the PDF and also the related control matrix. These documents show exactly which controls Microsoft has implemented and tested. You also download the Data Protection Addendum, which your compliance team needs for their own records.

While you are in the portal, you notice a section called 'Compliance Manager'. Curious, you open it and find a prebuilt assessment for SOC 2. It lists Microsoft's implemented controls and shows a column for customer actions. You realize this could help your team track their own remaining configurations needed to fully satisfy the audit requirements. You take a screenshot and share it with your manager.

You deliver the documents to the compliance team within two hours. The auditor reviews the SOC report and is satisfied. NorthStar Finance passes the audit without any findings related to the cloud provider. Your manager is impressed that you knew exactly where to find the information without asking for help. This scenario shows how the Service Trust Portal is used in a real work situation to support a compliance audit, save time, and demonstrate professional competence.

## Common mistakes

- **Mistake:** Thinking the Service Trust Portal is the same as the Azure Portal.
  - Why it is wrong: The Azure Portal is for managing cloud resources like virtual machines, databases, and networks. It does not contain compliance audit reports or data protection documents. The Service Trust Portal is a separate website dedicated to compliance and trust documentation.
  - Fix: Remember that the Azure Portal is for operations, and the Service Trust Portal is for compliance evidence. If you need an audit report, go to the Service Trust Portal. If you need to spin up a VM, go to the Azure Portal.
- **Mistake:** Assuming all documents on the Service Trust Portal are publicly accessible without authentication.
  - Why it is wrong: Many audit reports and compliance documents on the STP require you to sign a non-disclosure agreement (NDA) before you can view or download them. Some documents also require specific admin roles like Compliance Administrator or Global Administrator.
  - Fix: Always expect that sensitive documents require authentication and possibly an NDA. If you cannot access a document, check with your tenant administrator to get the right permissions.
- **Mistake:** Confusing the Service Trust Portal with the Microsoft Trust Center.
  - Why it is wrong: The Microsoft Trust Center is a public website with general security and compliance information, case studies, and overviews. It is designed for anyone to learn about Microsoft's principles. The Service Trust Portal is the authenticated repository for actual audit reports and legal documents.
  - Fix: Think of the Trust Center as a marketing and education site. Think of the Service Trust Portal as the private vault where the real documents are stored. If you need to download an actual report, use the STP.
- **Mistake:** Believing that downloading a SOC report from the STP automatically makes your organization compliant.
  - Why it is wrong: The SOC report only proves that Microsoft has implemented certain controls. It does not mean that your own configuration of Microsoft services meets all compliance requirements. Compliance is a shared responsibility.
  - Fix: Use the SOC report as evidence for your auditor, but also use the Compliance Manager tool and other guidance on the STP to check your own configurations. You must still meet your own responsibilities under the Shared Responsibility Model.

## Exam trap

{"trap":"A question asks: 'Where would you go to download a SOC 2 report for Azure?' and the options include the Azure Portal, Microsoft 365 admin center, and Service Trust Portal. The learner might pick the Azure Portal because they associate Azure with SOC reports, but that is incorrect.","why_learners_choose_it":"Learners often assume that all Azure-related activities happen in the Azure Portal. They may not realize that compliance documentation is stored separately in the Service Trust Portal to keep operational management and compliance evidence isolated.","how_to_avoid_it":"Remember that the Service Trust Portal is the exclusive location for audit reports, compliance documents, and data protection resources across all Microsoft cloud services. The Azure Portal is for resource management only. If the task is downloading an audit report, the answer is always the Service Trust Portal."}

## Commonly confused with

- **Service Trust Portal vs Microsoft Trust Center:** The Microsoft Trust Center is a public-facing website that provides general information about Microsoft's security principles, privacy policies, and compliance certifications. It is educational and open to everyone. The Service Trust Portal is a restricted-access repository where authenticated users can download actual audit reports, data protection addenda, and detailed compliance documents. (Example: A potential customer wants to learn about Microsoft's security approach before signing up. They visit the Trust Center. A compliance officer needs the actual SOC 3 report to send to an auditor. They go to the Service Trust Portal.)
- **Service Trust Portal vs Microsoft Purview Compliance Portal:** Microsoft Purview Compliance Portal (formerly Microsoft 365 compliance center) is a tool for managing your organization's own compliance posture, including data classification, retention policies, and insider risk management. The Service Trust Portal is for reviewing Microsoft's compliance documentation, not for configuring your own policies. (Example: You create a data retention policy in the Purview portal. You download Microsoft's ISO 27001 certificate from the Service Trust Portal.)
- **Service Trust Portal vs Azure Policy:** Azure Policy is a service within the Azure portal that enforces rules on how your Azure resources are configured, such as requiring encryption on storage accounts. The Service Trust Portal has nothing to do with enforcement. It only provides documentation and evidence. (Example: You create a policy in Azure Policy to deny creation of unencrypted disks. You use the Service Trust Portal to find the Data Protection Addendum that outlines Microsoft's data handling commitments.)

## Step-by-step breakdown

1. **Step 1: Navigate to the Service Trust Portal** — Open a web browser and go to the Service Trust Portal URL (servicetrust.microsoft.com). You do not need a special link because it is a public web address. The portal will redirect you to a Microsoft login page if you are not already signed in.
2. **Step 2: Authenticate with your Microsoft Entra ID account** — Sign in using the credentials associated with your organization's Microsoft Entra ID (formerly Azure Active Directory) tenant. If your organization uses Microsoft 365 or Azure, you already have an account. Your access to documents depends on the roles assigned to you by your tenant admin.
3. **Step 3: Agree to the Non-Disclosure Agreement (NDA) if prompted** — The first time you access certain restricted documents, you will be asked to review and accept a non-disclosure agreement. This is a legal requirement to view confidential audit reports. You may need to accept the NDA annually. Without accepting, you will see only a limited set of publicly available content.
4. **Step 4: Choose a service and document category** — The STP organizes content by cloud service (Azure, Dynamics 365, Microsoft 365, Power Platform) and by document type (Audit Reports, Data Protection, Compliance Guides, Whitepapers). Use the menu or search bar to filter. For example, select Azure under 'Audit Reports' to see Azure-specific SOC reports.
5. **Step 5: Locate and download the required document** — Browse the list of available reports for your selected service and compliance framework. Click on the report name to expand details, then click the download button. The document is typically a PDF. Some reports have language versions or multiple parts. Verify the report date covers the audit period you need.
6. **Step 6: Use Compliance Manager for internal assessments (optional)** — From the STP home page, access Compliance Manager to create assessments for frameworks like GDPR, HIPAA, or ISO 27001. This tool maps Microsoft controls to your organization's responsibilities. It does not replace downloading reports but helps you track your own compliance tasks.

## Practical mini-lesson

The Service Trust Portal is not just a place to download PDFs. It is a strategic tool that professionals use during vendor risk assessments, compliance audits, and internal security reviews. Understanding how to use it effectively can differentiate you in the workplace.

When you access the STP, the first thing to check is your role-based access. Not everyone in your organization has the same level of visibility. Typically, Global Administrators, Compliance Administrators, and Security Administrators have the highest access. If you are a regular user, you may need to request a role elevation or ask an admin to download a specific document for you. Some organizations automate this by creating a security group that grants STP access to the compliance team. Knowing this helps you troubleshoot access issues without opening a support ticket.

The documents themselves are not all the same. SOC 1 reports focus on financial controls, SOC 2 reports cover security, availability, processing integrity, confidentiality, and privacy, and SOC 3 reports are a public summary of SOC 2. For IT certification learners, understanding the difference is important because exam questions may ask which type of report is appropriate for a given scenario. For example, if the scenario involves a financial audit, a SOC 1 report is relevant. If it involves data security, SOC 2 is the right choice.

Another practical skill is learning how to read an audit report. These reports contain an opinion letter from the auditor, a description of the system, and a control matrix. The control matrix lists each control objective and whether the controls were effective during the testing period. Some controls are designated as 'carved out,' meaning they are not covered by the audit and are the customer's responsibility. Recognizing carved-out controls is essential for your own compliance gap analysis.

The Compliance Manager tool can be confusing because it overlaps with other Microsoft compliance tools. In the STP, Compliance Manager provides prebuilt assessments that link to Microsoft's control mappings. You can assign tasks to team members, track progress, and export reports. This is useful for demonstrating due diligence to regulators. However, be aware that Compliance Manager does not automatically enforce any configurations. It is a planning and tracking tool, not an enforcement tool.

What can go wrong? A common mistake is downloading an outdated report. Always check the report date and ensure it covers the period your auditor is requesting. Another issue is forgetting to accept the NDA annually. The portal will hide restricted content until you renew your agreement. Finally, do not assume that having a document from the STP means you have no further work. The Shared Responsibility Model means you still need to configure your own environments according to the compliance requirements. The STP gives you the evidence, but you must still build the compliant configuration.

## Memory tip

STP = Show The Paper: When an auditor asks for proof, show them the paper from the Service Trust Portal.

## FAQ

**Do I need a paid subscription to access the Service Trust Portal?**

No, the Service Trust Portal is freely accessible to anyone with a Microsoft Entra ID account that is linked to an organization. You do not need a paid Azure or Microsoft 365 subscription to view the publicly available documents, but restricted content may require specific admin roles.

**Can I access the Service Trust Portal with a personal Microsoft account like Outlook.com?**

No, you need a work or school account that is managed by a Microsoft Entra ID tenant. Personal Microsoft accounts (like @outlook.com or @hotmail.com) cannot be used to access the Service Trust Portal.

**How often are the audit reports on the Service Trust Portal updated?**

The update frequency depends on the type of report. SOC 2 reports are typically updated annually, ISO certificates are reissued every three years, and some whitepapers are updated less regularly. The portal shows the effective dates for each document.

**Why can't I see certain documents even though I am logged in?**

You may not have the necessary role assignments. Global Administrators, Compliance Administrators, and Security Administrators can access nearly all documents. Other users may need to request access from their tenant admin or sign an NDA first.

**Is the Compliance Manager tool part of the Service Trust Portal or a separate service?**

Compliance Manager is a feature within the Service Trust Portal. You can access it directly from the portal's navigation menu. It is not a separate website, but it does have its own dashboard and assessment capabilities.

**Can I use the Service Trust Portal to check if my own organization is compliant?**

The portal provides documentation about Microsoft's compliance, not about your own organization. However, the Compliance Manager tool can help you assess your organization's readiness by mapping Microsoft's controls to your responsibilities. You still need to evaluate your own configurations separately.

## Summary

The Service Trust Portal is a vital resource for any IT professional working with Microsoft cloud services. It serves as the single source of truth for compliance documentation, including third-party audit reports, data protection agreements, and compliance guidance. The portal is not just a library of PDFs. It is a practical tool that supports real-world activities like external audits, vendor risk assessments, and internal compliance reviews.

For IT certification learners, the Service Trust Portal appears in several Microsoft Fundamentals exams and is a clear point-scoring topic. Understanding its purpose, how to access it, and how to differentiate it from other Microsoft portals is essential. The most common exam traps involve confusing the STP with the Azure Portal or the Microsoft Trust Center, or forgetting that some documents require an NDA to access. Mastering these distinctions will help you avoid losing easy points.

Beyond exams, the Service Trust Portal teaches an important lesson about shared responsibility and accountability in cloud computing. It shows that compliance is not a one-time checkbox but an ongoing process of gathering evidence, reviewing controls, and meeting customer obligations. Professionals who know how to use the STP efficiently can save their organizations time during audits and demonstrate due diligence to regulators. Whether you are studying for your first Microsoft certification or preparing for a compliance audit at work, the Service Trust Portal is a practical skill that will serve you well throughout your IT career.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/service-trust-portal
