Audit-Ready: SOC 2 Compliance on Microsoft 365
Enterprise guide to achieving SOC 2 Type II compliance. Trust Service Criteria mapping, Conditional Access, DLP, audit logging, evidence collection, and continuous compliance monitoring.
SOC 2 Compliance Microsoft 365 Enterprise Guide 2026 — enterprise reference guide from EPC Group, built from 29 years of Microsoft consulting engagements at Fortune 500 scale. Covers architecture, governance, compliance, pricing benchmarks, and implementation timelines for the Microsoft ecosystem.
Key Facts
- Built from EPC Group enterprise consulting engagements at Fortune 500 scale.
- Compliance-native guidance for HIPAA, SOC 2, FedRAMP, FINRA, CMMC, and GxP environments.
- Includes pricing benchmarks, timelines, and decision-framework matrices where applicable.
- Authored by EPC Group senior architects with 10+ years Microsoft enterprise experience.
- Microsoft Solutions Partner with experience across core current designations.
- Free consultation to apply this guide to your specific environment.
What Is SOC 2 and Why Does It Matter?
Featured Snippet: SOC 2 (Service Organization Control 2) is an audit framework created by the AICPA. It assesses an organization's controls in the following areas:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
To achieve SOC 2 compliance on Microsoft 365, you need to set up several key components:
- Configure Conditional Access policies for logical access control.
- Implement DLP policies for data protection.
- Use Unified Audit Logging with 12-month retention for auditor evidence.
- Utilize Microsoft Purview for data classification and retention.
- Establish incident response procedures with Microsoft Defender or Sentinel.
SOC 2 Type I assesses control design at a specific point in time. In contrast, Type II examines how effectively these controls function over a period, usually 12 months.
Most enterprise customers require Type II compliance from their vendors.
SOC 2 compliance is now a basic requirement for any organization that manages customer data. This includes:
- SaaS companies
- Managed service providers
- Cloud platforms
- Financial services firms
All these sectors must meet SOC 2 audit requirements from their enterprise customers. The focus has shifted from whether you need SOC 2 to how well you can achieve and maintain it.
Microsoft 365 is the foundation of productivity and collaboration for many organizations. The E5 tier offers built-in controls that align with SOC 2 Trust Service Criteria. These include:
- Conditional Access: Enforces logical access controls.
- DLP: Prevents unauthorized data sharing.
Unified Audit Logging offers the evidence trail that auditors require. Purview Compliance Manager features ready-to-use SOC 2 assessment templates. The challenge lies not in the availability of tools, but in:
- Understanding compliance requirements
- Implementing effective monitoring
- Ensuring consistent documentation
- Understanding compliance requirements
- Integrating tools into existing workflows
- Maintaining ongoing compliance
- Identifying which controls to configure,
- Understanding how to configure them to meet auditor requirements, and
- Collecting evidence efficiently.
EPC Group has guided organizations through SOC 2 Type II audits using Microsoft 365 as the primary control platform. Our Microsoft 365 consulting practice configures all SOC 2-relevant controls, builds evidence collection workflows, and conducts pre-audit readiness assessments to identify gaps before auditors arrive. We also work with organizations preparing for their regulated industry compliance requirements across healthcare, financial services, and government.
Type I vs. Type II: SOC 2 Type I evaluates whether controls are properly designed at a specific point in time — it is a snapshot. SOC 2 Type II evaluates whether those controls operated effectively over a period (typically 12 months). Enterprise customers almost always require Type II because it proves sustained compliance, not just good intentions. EPC Group recommends starting with Type I to validate control design, then progressing to Type II after 12 months of operation.
Trust Service Criteria: Microsoft 365 Controls Mapping
Each Trust Service Criteria maps to specific Microsoft 365 features and configurations. Security is mandatory; the remaining four are selected based on your business and customer requirements.
Security (Common Criteria)
REQUIREDControls protecting against unauthorized access. Required for every SOC 2 report.
Microsoft 365 Controls:
- Conditional Access policies (MFA, device compliance, location)
- Entra ID Protection (risk-based sign-in, user risk policies)
- Microsoft Defender for Office 365 (anti-phishing, safe links, safe attachments)
- Microsoft Defender for Endpoint (endpoint detection and response)
- Microsoft Defender for Cloud Apps (shadow IT discovery, app governance)
- Entra ID Privileged Identity Management (just-in-time admin access)
Availability
Controls ensuring systems are operational and accessible as committed or agreed.
Microsoft 365 Controls:
- Microsoft 365 SLA (99.9% uptime guarantee)
- Service Health Dashboard monitoring and alerting
- Geo-redundant data storage across Microsoft data centers
- Exchange Online Protection (anti-spam, anti-malware for email availability)
- OneDrive/SharePoint version history for data recovery
- Backup policies using Microsoft 365 Backup (or third-party: Veeam, AvePoint)
Processing Integrity
Controls ensuring data processing is complete, valid, accurate, timely, and authorized.
Microsoft 365 Controls:
- Power Automate audit trails for automated workflows
- Exchange transport rules with logging for email processing
- SharePoint list validation rules for data entry accuracy
- eDiscovery for processing verification and data integrity checks
- Microsoft Purview Data Lifecycle Management for processing compliance
- Audit logs capturing all data modification events
Confidentiality
Controls protecting information designated as confidential from unauthorized disclosure.
Microsoft 365 Controls:
- Microsoft Purview DLP policies (email, Teams, SharePoint, endpoint)
- Sensitivity labels with encryption and access restrictions
- Microsoft Purview Information Barriers (prevent communication between groups)
- Azure Rights Management (document-level encryption)
- Conditional Access session controls (block download, restrict copy/paste)
- Microsoft Defender for Cloud Apps (block upload to unsanctioned apps)
Privacy
Controls over collection, use, retention, disclosure, and disposal of personal information.
Microsoft 365 Controls:
- Microsoft Priva Privacy Risk Management (privacy risk detection)
- Microsoft Priva Subject Rights Requests (DSAR automation)
- Retention policies and labels for data lifecycle management
- Data minimization through auto-deletion policies
- Communication Compliance for monitoring personal data handling
- Records Management for legal hold and disposition
Conditional Access Policies for SOC 2
Conditional Access is the primary enforcement mechanism for SOC 2 logical access controls. These policies map directly to Common Criteria (CC) requirements that auditors evaluate.
| Policy | SOC 2 Control | Priority |
|---|---|---|
| Require MFA — All Users, All Apps | CC6.1 | Critical |
| Block Legacy Authentication | CC6.1 | Critical |
| Require Compliant Device | CC6.1, CC6.8 | High |
| Block Untrusted Locations | CC6.1, CC6.2 | High |
| Require App Protection (Mobile) | CC6.7 | High |
| Session Timeout — Sensitive Apps | CC6.1, CC6.3 | Medium |
| Block High-Risk Sign-Ins | CC6.1 | Critical |
| Require Password Change — High User Risk | CC6.1 | High |
Auditor Tip: Export all Conditional Access policies as JSON from the Entra admin center and include them in your evidence binder. Auditors review the policy configuration to verify MFA enforcement, legacy auth blocking, and device compliance requirements. Also provide Entra ID sign-in logs showing CA policy application across the audit period — this proves the policies were not just configured but actively enforcing access controls.
Data Loss Prevention (DLP) for SOC 2
DLP policies help ensure the Confidentiality and Privacy Trust Service Criteria. They do this by detecting and preventing unauthorized sharing of sensitive data.
Auditors check for:
- Enforced DLP policies, not just test mode
- Documented exceptions
- Override justification workflows
Financial Data Protection
Detect credit card numbers (PCI DSS patterns), bank account numbers, routing numbers, and financial statements. Block external sharing via email, Teams chat, and SharePoint. Alert the compliance team for each match. Required for organizations handling payment or financial data.
PII Protection
Detect Social Security numbers, passport numbers, driver license numbers, and date of birth patterns in email, Teams, SharePoint, and OneDrive. Block external sharing, encrypt emails containing PII, and generate incident reports for the privacy team.
Sensitivity Label Enforcement
Enforce DLP rules based on Microsoft Purview sensitivity labels. Documents labeled "Confidential" or "Highly Confidential" are blocked from external sharing, prevented from being downloaded on unmanaged devices, and restricted from printing via Endpoint DLP.
Endpoint DLP
Extend DLP to Windows and macOS devices. Block copy-to-USB of sensitive files, prevent upload to personal cloud storage (Dropbox, personal OneDrive, Google Drive), and restrict printing of classified documents. Required for organizations where data leaves the Microsoft 365 cloud boundary.
Policy Override Documentation
Allow authorized users to override DLP blocks with business justification. Every override is logged with the user, justification text, timestamp, and data type detected. Auditors review override logs to verify that exceptions are justified and not routine circumvention.
Audit Logging & Data Retention
Audit logs are essential for SOC 2 evidence. They need to be complete and tamper-proof throughout the entire audit period. Without these logs, auditors cannot confirm that controls worked effectively.
Microsoft 365 provides extensive audit logging. However, its default retention settings do not meet the requirements for SOC 2 Type II.
Standard Audit (E3)
90-Day Retention
- User and admin activity logging
- File access and sharing events
- Exchange admin audit log
- 90-day retention (insufficient for Type II)
- Missing crucial audit events
- No audit log retention policies
Advanced Audit (E5)
1-Year Retention
- 1-year default retention (configurable to 10 years)
- MailItemsAccessed — who read which emails
- Send — email sending with message details
- SearchQueryInitiated — user search queries
- Audit log retention policies for custom periods
- Intelligent insights for investigation acceleration
Retention Policy Best Practice: Configure audit log retention policies in Purview to retain high-value events for 10 years: admin activities, DLP policy matches, sensitivity label changes, and conditional access policy modifications. These events are frequently requested during SOC 2 audits, SEC investigations, and eDiscovery. The 10-year retention policy is included with E5 at no additional storage cost.
Incident Response for SOC 2
SOC 2 Common Criteria CC7.2 through CC7.5 require organizations to:
- Monitor for security events
- Identify incidents
- Respond to incidents
- Communicate about incidents
Auditors expect documented evidence of the entire incident lifecycle, from detection to resolution, for every security event during the audit period.
Detection: Microsoft Defender XDR
Unified detection across email (Defender for Office 365), endpoint (Defender for Endpoint), identity (Entra ID Protection), and cloud apps (Defender for Cloud Apps). Automated correlation links related alerts into a single incident with severity scoring.
Investigation: Microsoft Sentinel
SIEM platform that ingests logs from Microsoft 365, Azure, and third-party sources. Automated investigation playbooks query affected user activity, device state, and data access. Threat hunting workbooks for proactive analysis during the audit period.
Response: Automated Playbooks
Pre-configured response actions: disable compromised user account, quarantine infected device, block sender domain, revoke active sessions. Playbooks execute in seconds and document every action taken for auditor review.
Documentation: Incident Tickets
Every incident generates a ticket with: detection timestamp, alert source, severity, affected users/devices, investigation actions, containment steps, root cause, and resolution. Monthly incident summary reports provide auditors with evidence of CC7.2-CC7.5 compliance.
Evidence Collection for Auditors
The evidence collection phase is vital for a smooth audit. It can either proceed smoothly or become a lengthy process with repeated requests from auditors. Microsoft 365 provides several evidence sources. To prepare effectively, understand what auditors will ask for and have that information ready in advance.
Purview Compliance Manager
Pre-built SOC 2 assessment templates map Microsoft 365 controls to Trust Service Criteria. Export the assessment showing control status, evidence links, and improvement actions. This is your primary evidence dashboard.
Conditional Access Export
Export all CA policies as JSON from Entra admin center. Include sign-in logs showing CA enforcement across the audit period — filter for MFA challenge events, blocked sign-ins, and compliant device requirements.
Audit Log Searches
Run targeted searches for specific event types: admin role changes, mailbox access, file sharing, DLP matches, and sensitivity label changes. Export as CSV for auditor review with timestamps, users, and actions.
DLP Activity Reports
Export DLP policy matches, user overrides with justification text, false positive dismissals, and escalated incidents. Auditors use this to verify Confidentiality controls are actively preventing data loss.
Access Reviews
Export completed access reviews from Entra ID Governance showing quarterly review of user accounts, group memberships, and admin roles. Include reviewer decisions (approve/deny) and remediation actions for denied access.
Incident Response Reports
Export incident tickets from Sentinel or Defender XDR showing detection, investigation, and resolution for every security event. Monthly summary reports demonstrate continuous monitoring (CC7.2-CC7.5).
Common SOC 2 Audit Findings on Microsoft 365
These are the top findings EPC Group encounters in pre-audit readiness assessments. Address them before the audit period begins.
Legacy Authentication Not Blocked
Impact: POP3, IMAP, and SMTP Auth connections bypass MFA entirely. Auditors test for this by attempting authentication with legacy protocols. If successful, it is a control failure for CC6.1.
Remediation: Create a Conditional Access policy blocking legacy authentication for all users. Verify with sign-in logs that no legacy auth connections succeed after enforcement. Provide auditors with the CA policy export and sign-in log evidence.
Insufficient Audit Log Retention
Impact: Standard audit logs (E3) retain only 90 days. SOC 2 Type II covers 12 months. Auditors cannot verify control effectiveness for the full audit period if logs have been purged.
Remediation: Upgrade to E5 Advanced Audit (1-year retention) or configure log export to Azure Log Analytics / SIEM with 1-year retention. EPC Group recommends E5 as the simplest and most auditor-friendly solution.
DLP Policies in Test Mode Only
Impact: DLP policies running in simulation/test mode do not actually block data exfiltration. Auditors view test-mode policies as "designed but not operating" — they cannot be credited as effective controls.
Remediation: Move DLP policies from simulation to enforcement mode. Run simulation for 2-4 weeks to tune false positives, then enforce before the audit period begins. Document the simulation-to-enforcement timeline for auditors.
Stale Accounts with Active Access
Impact: Accounts for former employees, expired contractors, or unused service accounts that remain enabled represent unauthorized access paths. Auditors query Entra ID for accounts with no sign-in in 90+ days.
Remediation: Implement automated access reviews in Entra ID Governance that quarterly review all user accounts and disable accounts with no sign-in activity in 90 days. Provide auditors with access review completion reports.
Undocumented Incident Response
Impact: Security incidents occurred during the audit period (phishing, blocked attacks, suspicious sign-ins) but response actions were not documented. Auditors need evidence of detection, investigation, containment, and resolution.
Remediation: Configure Microsoft Sentinel or Defender XDR to create incidents for all security events. Document response actions in the incident ticket. Generate a monthly incident summary report showing detection-to-resolution timeline.
Continuous Compliance Monitoring
SOC 2 is not a one-time certification. It requires ongoing effectiveness of controls. Configurations can change, new users might bypass policies, and new threats can emerge.
Continuous monitoring is essential. It helps ensure your controls remain effective between annual audits.
Compliance Manager Score
Microsoft Purview Compliance Manager provides a real-time compliance score (0-100%) that updates as configurations change. Set alerts for score drops below your target threshold. Review weekly to catch drift early.
Microsoft Secure Score
Tracks security posture across Microsoft 365 with actionable recommendations. Each recommendation maps to SOC 2 controls. Target 80%+ Secure Score for SOC 2 readiness.
Automated Access Reviews
Entra ID Governance access reviews run quarterly, automatically flagging accounts with no sign-in activity, excessive permissions, or expired guest access. Reviewers approve or deny access directly in the portal.
SOC 2 Dashboard (Power BI)
EPC Group builds custom Power BI dashboards that pull data from Microsoft Graph, Purview APIs, and Sentinel to display real-time SOC 2 control metrics: MFA adoption, DLP enforcement, audit log completeness, and incident response times.
Related Enterprise Guides
Microsoft 365 Consulting
Full-spectrum Microsoft 365 consulting for enterprise deployments, migrations, governance, and optimization.
Regulated Industry Compliance
HIPAA, SOC 2, FedRAMP, and CMMC compliance consulting for Microsoft 365 environments.
Audit-Ready Analytics
Build an analytics compliance framework with audit trails, data lineage, and governance controls.
Frequently Asked Questions
How do you achieve SOC 2 compliance on Microsoft 365?
Achieving SOC 2 compliance on Microsoft 365 requires mapping the AICPA Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) to specific Microsoft 365 controls and configurations. Key steps include: 1) Implement Conditional Access policies enforcing MFA, compliant devices, and location-based access. 2) Configure Data Loss Prevention (DLP) policies to prevent unauthorized data sharing. 3) Enable Unified Audit Logging and retain logs for the audit period (minimum 12 months). 4) Deploy Microsoft Purview Information Protection for data classification and labeling. 5) Configure retention policies for email, SharePoint, and Teams. 6) Implement incident response procedures using Microsoft Sentinel or Defender XDR. 7) Generate evidence packages from Microsoft Purview Compliance Manager for auditor review. Microsoft 365 E5 provides the most comprehensive SOC 2 control coverage, including advanced audit, insider risk management, and eDiscovery. EPC Group has guided SaaS companies, financial services firms, and healthcare organizations through SOC 2 Type II audits using Microsoft 365 as the primary control platform.
What are the SOC 2 Trust Service Criteria?
SOC 2 is based on five Trust Service Criteria (TSC) defined by the AICPA: 1) Security (Common Criteria) — required for all SOC 2 reports. Controls that protect against unauthorized access, both physical and logical. In Microsoft 365: Conditional Access, MFA, Entra ID Protection, Microsoft Defender for Office 365. 2) Availability — controls ensuring systems are operational and accessible as committed. In M365: Service Health monitoring, geo-redundant architecture, SLA agreements, disaster recovery configuration. 3) Processing Integrity — controls ensuring data processing is complete, accurate, timely, and authorized. In M365: Power Automate audit trails, data validation rules, eDiscovery for processing verification. 4) Confidentiality — controls protecting information designated as confidential. In M365: DLP policies, sensitivity labels, encryption (Microsoft Purview Information Protection), conditional access restricting downloads. 5) Privacy — controls over collection, use, retention, disclosure, and disposal of personal information. In M365: retention policies, data subject request workflows, privacy impact assessments. Most SOC 2 audits include Security (mandatory) plus one or two additional criteria relevant to the business.
What Microsoft 365 license is required for SOC 2 compliance?
While SOC 2 compliance can technically be achieved on any Microsoft 365 tier, E5 provides the most comprehensive control coverage: Microsoft 365 E3 ($36/user/month) provides: Conditional Access, basic DLP, standard audit logging (90-day retention), basic retention policies, and Microsoft Defender for Office 365 Plan 1. Microsoft 365 E5 ($57/user/month) adds: Advanced Audit (1-year log retention, crucial audit events), Insider Risk Management, Communication Compliance, Records Management, eDiscovery Premium, Microsoft Defender for Cloud Apps, and Microsoft Purview Compliance Manager (SOC 2 assessment templates). Key gap in E3: standard audit logs are retained for only 90 days — SOC 2 auditors typically require 12 months of logs. E5 Advanced Audit extends retention to 1 year and adds crucial audit events (MailItemsAccessed, Send, SearchQueryInitiated) that auditors specifically request. EPC Group recommends E5 for any organization pursuing SOC 2 Type II. The $21/user/month premium over E3 is a fraction of the cost of compensating controls or third-party audit logging solutions.
How do Conditional Access policies support SOC 2 controls?
Conditional Access policies in Entra ID are the primary enforcement mechanism for SOC 2 logical access controls (CC6.1, CC6.2, CC6.3). Key policies for SOC 2 include: 1) Require MFA for all users, all cloud apps, all locations — this satisfies the "multi-factor authentication" control that auditors look for first. 2) Block legacy authentication protocols — legacy protocols (POP3, IMAP, SMTP Auth) bypass MFA and represent an uncontrolled access path. 3) Require compliant or Hybrid Azure AD Joined devices — ensures only managed, patched devices access corporate data. 4) Block access from untrusted locations — restrict access to corporate IP ranges and trusted countries. 5) Require app protection policies on mobile devices — enforce data separation between corporate and personal data on BYOD devices. 6) Session controls — limit session duration, require re-authentication for sensitive apps, and prevent download/print of confidential files. EPC Group deploys a baseline of 12-15 Conditional Access policies that map directly to SOC 2 Common Criteria for logical access, and documents each policy's mapping to specific CC controls for auditor evidence packages.
What DLP policies are needed for SOC 2 compliance?
Data Loss Prevention (DLP) policies in Microsoft Purview address SOC 2 Confidentiality and Privacy criteria by preventing unauthorized data sharing. Essential DLP policies for SOC 2 include: 1) Financial data protection — detect and block sharing of credit card numbers, bank account numbers, and financial statements outside the organization via email, Teams, and SharePoint. 2) PII protection — detect Social Security numbers, passport numbers, driver's license numbers in email attachments and cloud storage; block external sharing and notify compliance team. 3) Confidential document protection — use sensitivity labels to classify documents as "Confidential" and enforce DLP rules that prevent external sharing, printing, or downloading of labeled content. 4) Endpoint DLP — extend DLP to Windows and macOS devices, blocking copy-to-USB, upload to personal cloud storage, and print of sensitive documents. 5) Custom policies — detect industry-specific data types (healthcare: PHI patterns; financial: SWIFT codes, CUSIP numbers). EPC Group configures DLP policies in simulation mode first (2-4 weeks) to measure false positive rates before enforcement, preventing business disruption while ensuring auditors see active, enforced policies during the audit period.
How long must audit logs be retained for SOC 2?
SOC 2 does not specify a minimum log retention period, but auditors typically require logs covering the entire audit period — which is 12 months for a Type II report. Microsoft 365 log retention: Standard Audit (E3): 90 days for non-admin activities, 180 days for admin activities. This is insufficient for SOC 2 Type II. Advanced Audit (E5): 1 year for all audit log types, with the option to configure 10-year retention policies using Audit Log Retention Policies in Purview. Advanced Audit also captures crucial events that auditors specifically request: MailItemsAccessed (who read which emails and when), Send (email sending with message details), and SearchQueryInitiated (what users searched for in Exchange and SharePoint). For organizations on E3, compensating controls include: exporting audit logs to Azure Log Analytics (custom retention), forwarding logs to a SIEM (Splunk, Sentinel), or using third-party log aggregation. EPC Group recommends E5 Advanced Audit as the simplest path — it eliminates the need for external log management and provides the audit events that SOC 2 auditors expect to see.
How do you collect evidence for SOC 2 auditors from Microsoft 365?
Evidence collection is the most time-consuming part of a SOC 2 audit. Microsoft 365 provides multiple evidence sources: 1) Microsoft Purview Compliance Manager — provides pre-built SOC 2 assessment templates that map Microsoft 365 controls to Trust Service Criteria. Export the assessment as a report showing control status, evidence, and improvement actions. 2) Conditional Access policy export — export all CA policies as JSON from Entra ID for auditor review. 3) Audit log search — run targeted searches in Microsoft Purview for specific events (user sign-ins, file access, admin changes) and export results as CSV. 4) DLP policy activity reports — export DLP matches, overrides, and false positives from the Purview compliance portal. 5) Defender reports — export threat detection, blocked emails, and incident response actions. 6) Entra ID sign-in logs — export sign-in logs showing MFA enforcement, location, device compliance, and CA policy application. 7) Retention policy documentation — export retention labels and policies showing data lifecycle management. EPC Group creates a SOC 2 evidence binder — a structured document package mapping each Trust Service Criteria to the specific Microsoft 365 control, configuration screenshot, and log evidence that proves the control was operating effectively during the audit period.
What are common SOC 2 audit findings on Microsoft 365?
The five most common SOC 2 findings EPC Group sees in Microsoft 365 environments: 1) Legacy authentication not blocked — auditors test for POP3, IMAP, and SMTP Auth access. If these protocols are not blocked by Conditional Access, it is a finding because they bypass MFA. 2) Audit log retention insufficient — organizations on E3 with 90-day retention cannot demonstrate control effectiveness over the 12-month Type II period. Auditors will flag this as a control gap. 3) No DLP policies enforced — having DLP policies in "test mode" or "simulation only" for the entire audit period means the control is not operating effectively. Auditors need to see enforced policies with documented exceptions. 4) Stale user accounts with active licenses — former employees, contractors, or service accounts that were never disabled represent unauthorized access paths. Auditors check Entra ID for accounts with no sign-in activity in 90+ days. 5) Missing incident response documentation — organizations have incidents during the audit period (phishing emails, blocked attacks) but do not document the response. Auditors need evidence that incidents were detected, investigated, and resolved per the incident response plan. EPC Group conducts a pre-audit readiness assessment 60-90 days before the audit period to identify and remediate these common findings before auditors arrive.
What is continuous compliance monitoring for SOC 2?
Continuous compliance monitoring ensures SOC 2 controls remain effective between annual audits — not just during the audit period. Microsoft 365 tools for continuous monitoring include: Microsoft Purview Compliance Manager — provides a compliance score (0-100%) that updates in real-time as configurations change, with alerts when score drops. Microsoft Secure Score — tracks security posture and recommends improvements mapped to SOC 2 controls. Microsoft Sentinel — SIEM platform that correlates security events across Microsoft 365 and generates alerts for control violations (failed MFA, impossible travel, mass file downloads). Microsoft Defender XDR — unified incident management across email, endpoint, identity, and cloud apps with automated investigation. Scheduled compliance reports — automated weekly/monthly exports of key metrics: MFA adoption rate, DLP policy matches, conditional access failures, stale accounts, and audit log completeness. EPC Group deploys a SOC 2 compliance dashboard in Power BI that pulls data from Microsoft Graph, Purview APIs, and Sentinel to provide real-time visibility into control effectiveness — giving leadership and auditors confidence that controls operate continuously, not just during audit sampling.
Prepare for Your SOC 2 Audit
Begin with a SOC 2 Readiness Assessment. EPC Group reviews your Microsoft 365 setup based on all Trust Service Criteria. We identify control gaps and address any issues.
Furthermore, we develop your evidence collection workflow. This ensures that auditors encounter no surprises during their review.
Our fixed-fee engagement starts at $25,000.
SOC 2 Compliance on Microsoft 365: Enterprise Guide 2026
- SOC 2 Type I evaluates control design at a point in time. Type II evaluates effectiveness over 12 months — enterprises require Type II.
- M365 E3 ($36/user/month): Conditional Access, basic DLP, 90-day audit log, Defender for Office 365 Plan 1.
- M365 E5 ($57/user/month): Advanced Audit (1-year retention), Insider Risk Management, Defender for Endpoint P2, Defender for Cloud Apps, Purview Premium.
- E3 audit log retention (90 days) is insufficient for SOC 2 Type II — auditors need 12 months of logs.
- EPC Group deploys a SOC 2 compliance dashboard in Power BI pulling from Microsoft Graph, Purview APIs, and Sentinel.
- EPC Group's SOC 2 readiness assessment starts at $25,000 — fixed fee, 60–90 days before the audit period.
What Is SOC 2 and Why Does It Matter?
SOC 2 (Service Organization Control 2) is an audit framework created by the AICPA. It assesses an organization's controls based on five Trust Service Criteria:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Security is mandatory for all SOC 2 reports. The remaining four criteria are selected based on your business and customer requirements.
SOC 2 compliance is now a basic requirement for organizations that manage customer data. This includes:
- SaaS companies
- Managed service providers
- Cloud platforms
- Financial services firms
All these sectors must meet SOC 2 audit requirements set by their enterprise customers.
SOC 2 Trust Service Criteria: Microsoft 365 Controls Mapping
| Criteria | What It Evaluates | Key Microsoft 365 Controls |
|---|---|---|
| Security (CC) | Protection against unauthorized access | Conditional Access, Entra ID Protection, Defender for Office 365, Defender for Endpoint, Privileged Identity Management |
| Availability | Systems operational as committed | M365 SLA (99.9% uptime), Service Health monitoring, geo-redundant storage, OneDrive version history, M365 Backup |
| Processing Integrity | Complete, accurate, timely data processing | Power Automate audit trails, Exchange transport rules with logging, eDiscovery for verification |
| Confidentiality | Protecting designated confidential information | Purview DLP, sensitivity labels with encryption, Azure Rights Management, Conditional Access session controls |
| Privacy | Collection, use, retention, and disposal of personal data | Microsoft Priva, retention policies, data subject request workflows, Communication Compliance, Records Management |
Microsoft 365 License Required for SOC 2
You can achieve SOC 2 on any M365 tier. E5 provides the most complete coverage.
Microsoft 365 E3 ($36/user/month) includes:
- Conditional Access
- Basic DLP
- Standard audit logging — 90-day retention (insufficient for Type II)
- Basic retention policies
- Microsoft Defender for Office 365 Plan 1
Microsoft 365 E5 ($57/user/month) adds:
- Advanced Audit — 1-year log retention (configurable to 10 years)
- Crucial audit events: MailItemsAccessed, Send, SearchQueryInitiated
- Insider Risk Management
- Communication Compliance
- Records Management and eDiscovery Premium
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Endpoint Plan 2
- Customer Lockbox
The difference between E3 and E5 for SOC 2 auditors is significant. E3 standard audit logs are stored for only 90 days. In contrast, SOC 2 Type II requires logs to be kept for 12 months. If logs are deleted, auditors cannot confirm effectiveness for the entire period.
EPC Group recommends E5 as the easiest solution. The premium of $21 per user per month is lower than the cost of compensating controls or third-party audit logging.
Conditional Access Policies for SOC 2
Conditional Access policies in Microsoft Entra ID are the primary enforcement mechanism for SOC 2 logical access controls (CC6.1, CC6.2, CC6.3).
EPC Group deploys a baseline of 12–15 Conditional Access policies mapped to SOC 2 Common Criteria. Key policies include:
- Require MFA for all users, all cloud apps, all locations — auditors look for this first
- Block legacy authentication protocols — POP3, IMAP, and SMTP Auth bypass MFA entirely
- Require compliant or Hybrid Entra ID-joined devices — ensures only managed, patched devices access corporate data
- Block access from untrusted locations — restrict to corporate IP ranges and trusted countries
- Require app protection policies on mobile — enforce data separation on BYOD devices
- Session controls — limit session duration, prevent download or print of confidential files
Auditor tip: Export all Conditional Access policies as JSON from the Entra admin center. Include these in your evidence binder.
Also, provide Entra ID sign-in logs. These logs should demonstrate CA policy enforcement during the entire audit period.
Data Loss Prevention (DLP) for SOC 2
DLP policies in Microsoft Purview address SOC 2 Confidentiality and Privacy criteria. Auditors require enforced policies — not simulation mode.
Essential DLP policies for SOC 2:
- Financial data protection — detect and block external sharing of credit card numbers and bank account numbers via email, Teams, and SharePoint
- PII protection — detect Social Security numbers, passport numbers, and driver's license numbers; block external sharing and notify the compliance team
- Sensitivity label enforcement — block external sharing, printing, or downloading of documents labeled "Confidential" or "Highly Confidential"
- Endpoint DLP — block copy-to-USB, upload to personal cloud storage, and print of sensitive documents on Windows and macOS
- Custom policies — detect industry-specific data types (healthcare: PHI; financial services: SWIFT codes, CUSIP numbers)
EPC Group configures DLP policies in simulation mode for 2–4 weeks first. This measures false positive rates before enforcement. Auditors see active, enforced policies without business disruption.
Audit Logging and Data Retention
Audit logs are the foundation of SOC 2 evidence. Without complete logs covering the full audit period, auditors cannot verify control effectiveness.
| Log Type | E3 (Standard Audit) | E5 (Advanced Audit) |
|---|---|---|
| Default retention | 90 days | 1 year |
| Max configurable retention | Not available (without export) | 10 years via Purview retention policies |
| MailItemsAccessed event | No | Yes |
| Send event (email sending details) | No | Yes |
| SearchQueryInitiated event | No | Yes |
| SOC 2 Type II adequacy | Insufficient (90 days only) | Adequate (1 year default) |
Best practice: Set up Purview Audit Log Retention Policies to keep important events for 10 years. These events include:
- Admin activities
- DLP matches
- Sensitivity label changes
- Conditional Access policy modifications
Auditors, SEC investigations, and eDiscovery often request these events.
Incident Response for SOC 2
SOC 2 Common Criteria CC7.2–CC7.5 require documented evidence of the full incident lifecycle: detection, investigation, response, and communication.
Detection — Microsoft Defender XDR: Unified detection across email, endpoint, identity, and cloud apps. Automated correlation links related alerts into a single incident with severity scoring.
Investigation — Microsoft Sentinel: SIEM platform ingesting logs from Microsoft 365, Azure, and third-party sources. Automated investigation playbooks query affected user activity, device state, and data access.
Response — Automated playbooks: Pre-configured actions include disabling compromised accounts, quarantining infected devices, blocking sender domains, and revoking active sessions. Every action is documented automatically.
Documentation — Incident tickets: Each incident creates a ticket that includes the following details:
- Detection timestamp
- Alert source
- Severity
- Affected users and devices
- Investigation actions
- Containment steps
- Root cause
- Resolution
Monthly incident summary reports provide auditors with proof of CC7.2–CC7.5 compliance.
Evidence Collection for Auditors
Evidence collection is the most time-consuming part of a SOC 2 audit. EPC Group creates a SOC 2 evidence binder. This is a structured document package that connects each Trust Service Criteria to specific Microsoft 365 controls.
Each binder includes:
- Configuration screenshots
- Log evidence
Key evidence sources from Microsoft 365:
- Purview Compliance Manager — pre-built SOC 2 assessment templates with control status and improvement actions. Export as a report for auditors.
- Conditional Access policy export — export all CA policies as JSON from Entra admin center, plus sign-in logs showing enforcement across the audit period
- Audit log searches — run targeted searches for specific event types; export as CSV with timestamps, users, and actions
- DLP activity reports — export DLP matches, user overrides with justification text, and escalated incidents
- Entra ID access reviews — export completed access reviews showing quarterly review of user accounts and admin roles
- Defender incident reports — export incident tickets showing detection, investigation, and resolution for every security event
- Retention policy documentation — export retention labels and policies showing data lifecycle management
Common SOC 2 Audit Findings on Microsoft 365
These are the five findings EPC Group most often sees in pre-audit readiness assessments. Address them before the audit period begins.
- Legacy authentication not blocked — POP3, IMAP, and SMTP Auth bypass MFA. Auditors test for this directly. Fix: Create a Conditional Access policy blocking legacy auth for all users.
- Audit log retention insufficient — E3 organizations with 90-day logs cannot demonstrate effectiveness over a 12-month Type II period. Fix: Upgrade to E5 Advanced Audit or export logs to a SIEM.
- DLP policies in test mode only — simulation-mode policies are "designed but not operating." Auditors do not credit them. Fix: Move DLP to enforcement mode after a 2–4 week simulation tuning period.
- Stale user accounts with active licenses — former employees or unused service accounts represent unauthorized access paths. Fix: Implement Entra ID Governance access reviews that quarterly disable accounts with no sign-in in 90+ days.
- Missing incident response documentation — security events occurred but responses were not documented. Fix: Configure Sentinel or Defender XDR to generate incident tickets automatically. Produce monthly incident summary reports.
Continuous Compliance Monitoring
SOC 2 is not a one-time certification. Controls drift between annual audits. Use these tools to monitor continuously:
- Purview Compliance Manager — real-time compliance score (0–100%) with alerts when score drops below your target
- Microsoft Secure Score — security posture tracking with recommendations mapped to SOC 2 controls. Target 80%+ for SOC 2 readiness.
- Entra ID Governance access reviews — quarterly automated reviews flagging accounts with excessive permissions or no sign-in activity
- Microsoft Sentinel — SIEM alerts for control violations including failed MFA, impossible travel, and mass file downloads
- SOC 2 Power BI dashboard — EPC Group builds custom dashboards pulling from Microsoft Graph, Purview APIs, and Sentinel to display real-time control metrics
Frequently Asked Questions
How do you achieve SOC 2 compliance on Microsoft 365?
Map AICPA Trust Service Criteria to Microsoft 365 controls. Here are the key steps:
- Configure Conditional Access policies for MFA and device compliance.
- Deploy enforced DLP policies.
- Enable Unified Audit Logging with 12-month retention.
- Deploy Purview sensitivity labels.
- Configure retention policies.
- Implement incident response via Defender or Sentinel.
- Generate evidence packages from Purview Compliance Manager.
What Microsoft 365 license is needed for SOC 2?
E5 ($57/user/month) offers the most comprehensive coverage. In comparison, E3 has a limitation in audit log retention.
E3 retains logs for only 90 days. This duration is not enough for a 12-month Type II audit.
E5 Advanced Audit addresses this issue by:
- Extending log retention to 1 year
- Including important audit events such as MailItemsAccessed, Send, and SearchQueryInitiated
These features are specifically requested by auditors.
How long must audit logs be retained for SOC 2?
SOC 2 does not set a minimum requirement. However, auditors must have logs for the entire audit period, which is 12 months for Type II audits.
The retention periods for audit logs are as follows:
- E3 standard audit logs retain data for only 90 days.
- E5 Advanced Audit retains logs for 1 year by default.
- Retention can be configured up to 10 years using Purview Audit Log Retention Policies.
What are the most common SOC 2 findings on Microsoft 365?
The five most common findings are:
- Legacy authentication not blocked, which bypasses MFA.
- E3 audit log retention is insufficient for 12-month Type II.
- DLP policies are only in test mode.
- Stale user accounts have active licenses.
- Incident response documentation is missing.
EPC Group conducts pre-audit readiness assessments 60–90 days before the audit period. This helps identify and fix these gaps.
What is continuous compliance monitoring for SOC 2?
Continuous monitoring ensures that controls stay effective between annual audits. You can use the following tools for this purpose:
- Purview Compliance Manager for a real-time compliance score
- Microsoft Secure Score for tracking security posture
- Entra ID for quarterly user access reviews
- Sentinel for security event alerting
- Automated scheduled compliance reports
EPC Group also builds Power BI dashboards to provide real-time visibility into SOC 2 controls.
Ready to prepare for your SOC 2 audit? EPC Group offers a readiness assessment for a fixed fee starting at $25,000. This assessment checks your Microsoft 365 setup against all Trust Service Criteria.
It identifies gaps and addresses findings. Additionally, it helps build your evidence collection workflow.