SOC 2 Compliance on Microsoft 365
Enterprise guide to achieving SOC 2 Type II compliance. Trust Service Criteria mapping, Conditional Access, DLP, audit logging, evidence collection, and continuous compliance monitoring.
What Is SOC 2 and Why Does It Matter?
Featured Snippet: SOC 2 (Service Organization Control 2) is an audit framework developed by the AICPA that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. On Microsoft 365, achieving SOC 2 compliance requires configuring Conditional Access policies for logical access control, DLP policies for data protection, Unified Audit Logging with 12-month retention for auditor evidence, Microsoft Purview for data classification and retention, and incident response procedures using Microsoft Defender or Sentinel. SOC 2 Type I evaluates control design at a point in time; Type II evaluates operating effectiveness over a period (typically 12 months). Most enterprise customers require Type II from their vendors.
SOC 2 compliance has become a baseline requirement for any organization that handles customer data. SaaS companies, managed service providers, cloud platforms, and financial services firms all face SOC 2 audit requirements from their enterprise customers. The question is no longer whether you need SOC 2, but how efficiently you can achieve and maintain it.
Microsoft 365 is already the backbone of most organizations' productivity and collaboration infrastructure. The good news is that Microsoft 365 — particularly at the E5 tier — provides native controls that map directly to SOC 2 Trust Service Criteria. Conditional Access enforces logical access controls. DLP prevents unauthorized data sharing. Unified Audit Logging creates the evidence trail auditors need. Purview Compliance Manager provides pre-built SOC 2 assessment templates. The challenge is not a lack of tools — it is knowing which controls to configure, how to configure them to satisfy auditors, and how to collect evidence efficiently.
EPC Group has guided organizations through SOC 2 Type II audits using Microsoft 365 as the primary control platform. Our Microsoft 365 consulting practice configures all SOC 2-relevant controls, builds evidence collection workflows, and conducts pre-audit readiness assessments to identify gaps before auditors arrive. We also work with organizations preparing for their regulated industry compliance requirements across healthcare, financial services, and government.
Type I vs. Type II: SOC 2 Type I evaluates whether controls are properly designed at a specific point in time — it is a snapshot. SOC 2 Type II evaluates whether those controls operated effectively over a period (typically 12 months). Enterprise customers almost always require Type II because it proves sustained compliance, not just good intentions. EPC Group recommends starting with Type I to validate control design, then progressing to Type II after 12 months of operation.
Trust Service Criteria: Microsoft 365 Controls Mapping
Each Trust Service Criteria maps to specific Microsoft 365 features and configurations. Security is mandatory; the remaining four are selected based on your business and customer requirements.
Security (Common Criteria)
REQUIREDControls protecting against unauthorized access. Required for every SOC 2 report.
Microsoft 365 Controls:
- Conditional Access policies (MFA, device compliance, location)
- Entra ID Protection (risk-based sign-in, user risk policies)
- Microsoft Defender for Office 365 (anti-phishing, safe links, safe attachments)
- Microsoft Defender for Endpoint (endpoint detection and response)
- Microsoft Defender for Cloud Apps (shadow IT discovery, app governance)
- Entra ID Privileged Identity Management (just-in-time admin access)
Availability
Controls ensuring systems are operational and accessible as committed or agreed.
Microsoft 365 Controls:
- Microsoft 365 SLA (99.9% uptime guarantee)
- Service Health Dashboard monitoring and alerting
- Geo-redundant data storage across Microsoft data centers
- Exchange Online Protection (anti-spam, anti-malware for email availability)
- OneDrive/SharePoint version history for data recovery
- Backup policies using Microsoft 365 Backup (or third-party: Veeam, AvePoint)
Processing Integrity
Controls ensuring data processing is complete, valid, accurate, timely, and authorized.
Microsoft 365 Controls:
- Power Automate audit trails for automated workflows
- Exchange transport rules with logging for email processing
- SharePoint list validation rules for data entry accuracy
- eDiscovery for processing verification and data integrity checks
- Microsoft Purview Data Lifecycle Management for processing compliance
- Audit logs capturing all data modification events
Confidentiality
Controls protecting information designated as confidential from unauthorized disclosure.
Microsoft 365 Controls:
- Microsoft Purview DLP policies (email, Teams, SharePoint, endpoint)
- Sensitivity labels with encryption and access restrictions
- Microsoft Purview Information Barriers (prevent communication between groups)
- Azure Rights Management (document-level encryption)
- Conditional Access session controls (block download, restrict copy/paste)
- Microsoft Defender for Cloud Apps (block upload to unsanctioned apps)
Privacy
Controls over collection, use, retention, disclosure, and disposal of personal information.
Microsoft 365 Controls:
- Microsoft Priva Privacy Risk Management (privacy risk detection)
- Microsoft Priva Subject Rights Requests (DSAR automation)
- Retention policies and labels for data lifecycle management
- Data minimization through auto-deletion policies
- Communication Compliance for monitoring personal data handling
- Records Management for legal hold and disposition
Conditional Access Policies for SOC 2
Conditional Access is the primary enforcement mechanism for SOC 2 logical access controls. These policies map directly to Common Criteria (CC) requirements that auditors evaluate.
| Policy | SOC 2 Control | Priority |
|---|---|---|
| Require MFA — All Users, All Apps | CC6.1 | Critical |
| Block Legacy Authentication | CC6.1 | Critical |
| Require Compliant Device | CC6.1, CC6.8 | High |
| Block Untrusted Locations | CC6.1, CC6.2 | High |
| Require App Protection (Mobile) | CC6.7 | High |
| Session Timeout — Sensitive Apps | CC6.1, CC6.3 | Medium |
| Block High-Risk Sign-Ins | CC6.1 | Critical |
| Require Password Change — High User Risk | CC6.1 | High |
Auditor Tip: Export all Conditional Access policies as JSON from the Entra admin center and include them in your evidence binder. Auditors review the policy configuration to verify MFA enforcement, legacy auth blocking, and device compliance requirements. Also provide Entra ID sign-in logs showing CA policy application across the audit period — this proves the policies were not just configured but actively enforcing access controls.
Data Loss Prevention (DLP) for SOC 2
DLP policies address the Confidentiality and Privacy Trust Service Criteria by detecting and preventing unauthorized sharing of sensitive data. Auditors look for enforced DLP policies — not test mode — with documented exceptions and override justification workflows.
Financial Data Protection
Detect credit card numbers (PCI DSS patterns), bank account numbers, routing numbers, and financial statements. Block external sharing via email, Teams chat, and SharePoint. Alert the compliance team for each match. Required for organizations handling payment or financial data.
PII Protection
Detect Social Security numbers, passport numbers, driver license numbers, and date of birth patterns in email, Teams, SharePoint, and OneDrive. Block external sharing, encrypt emails containing PII, and generate incident reports for the privacy team.
Sensitivity Label Enforcement
Enforce DLP rules based on Microsoft Purview sensitivity labels. Documents labeled "Confidential" or "Highly Confidential" are blocked from external sharing, prevented from being downloaded on unmanaged devices, and restricted from printing via Endpoint DLP.
Endpoint DLP
Extend DLP to Windows and macOS devices. Block copy-to-USB of sensitive files, prevent upload to personal cloud storage (Dropbox, personal OneDrive, Google Drive), and restrict printing of classified documents. Required for organizations where data leaves the Microsoft 365 cloud boundary.
Policy Override Documentation
Allow authorized users to override DLP blocks with business justification. Every override is logged with the user, justification text, timestamp, and data type detected. Auditors review override logs to verify that exceptions are justified and not routine circumvention.
Audit Logging & Data Retention
Audit logs are the foundation of SOC 2 evidence. Without complete, tamper-resistant logs covering the entire audit period, auditors cannot verify that controls operated effectively. Microsoft 365 provides comprehensive audit logging — but retention defaults are insufficient for SOC 2 Type II.
Standard Audit (E3)
90-Day Retention
- User and admin activity logging
- File access and sharing events
- Exchange admin audit log
- 90-day retention (insufficient for Type II)
- Missing crucial audit events
- No audit log retention policies
Advanced Audit (E5)
1-Year Retention
- 1-year default retention (configurable to 10 years)
- MailItemsAccessed — who read which emails
- Send — email sending with message details
- SearchQueryInitiated — user search queries
- Audit log retention policies for custom periods
- Intelligent insights for investigation acceleration
Retention Policy Best Practice: Configure audit log retention policies in Purview to retain high-value events for 10 years: admin activities, DLP policy matches, sensitivity label changes, and conditional access policy modifications. These events are frequently requested during SOC 2 audits, SEC investigations, and eDiscovery. The 10-year retention policy is included with E5 at no additional storage cost.
Incident Response for SOC 2
SOC 2 Common Criteria CC7.2 through CC7.5 require organizations to monitor for security events, identify incidents, respond to incidents, and communicate about incidents. Auditors expect documented evidence of the full incident lifecycle — detection through resolution — for every security event during the audit period.
Detection: Microsoft Defender XDR
Unified detection across email (Defender for Office 365), endpoint (Defender for Endpoint), identity (Entra ID Protection), and cloud apps (Defender for Cloud Apps). Automated correlation links related alerts into a single incident with severity scoring.
Investigation: Microsoft Sentinel
SIEM platform that ingests logs from Microsoft 365, Azure, and third-party sources. Automated investigation playbooks query affected user activity, device state, and data access. Threat hunting workbooks for proactive analysis during the audit period.
Response: Automated Playbooks
Pre-configured response actions: disable compromised user account, quarantine infected device, block sender domain, revoke active sessions. Playbooks execute in seconds and document every action taken for auditor review.
Documentation: Incident Tickets
Every incident generates a ticket with: detection timestamp, alert source, severity, affected users/devices, investigation actions, containment steps, root cause, and resolution. Monthly incident summary reports provide auditors with evidence of CC7.2-CC7.5 compliance.
Evidence Collection for Auditors
The evidence collection phase determines whether your audit goes smoothly or becomes a months-long ordeal of repeated auditor requests. Microsoft 365 provides multiple evidence sources — the key is knowing what auditors ask for and having it ready before they ask.
Purview Compliance Manager
Pre-built SOC 2 assessment templates map Microsoft 365 controls to Trust Service Criteria. Export the assessment showing control status, evidence links, and improvement actions. This is your primary evidence dashboard.
Conditional Access Export
Export all CA policies as JSON from Entra admin center. Include sign-in logs showing CA enforcement across the audit period — filter for MFA challenge events, blocked sign-ins, and compliant device requirements.
Audit Log Searches
Run targeted searches for specific event types: admin role changes, mailbox access, file sharing, DLP matches, and sensitivity label changes. Export as CSV for auditor review with timestamps, users, and actions.
DLP Activity Reports
Export DLP policy matches, user overrides with justification text, false positive dismissals, and escalated incidents. Auditors use this to verify Confidentiality controls are actively preventing data loss.
Access Reviews
Export completed access reviews from Entra ID Governance showing quarterly review of user accounts, group memberships, and admin roles. Include reviewer decisions (approve/deny) and remediation actions for denied access.
Incident Response Reports
Export incident tickets from Sentinel or Defender XDR showing detection, investigation, and resolution for every security event. Monthly summary reports demonstrate continuous monitoring (CC7.2-CC7.5).
Common SOC 2 Audit Findings on Microsoft 365
These are the top findings EPC Group encounters in pre-audit readiness assessments. Address them before the audit period begins.
Legacy Authentication Not Blocked
Impact: POP3, IMAP, and SMTP Auth connections bypass MFA entirely. Auditors test for this by attempting authentication with legacy protocols. If successful, it is a control failure for CC6.1.
Remediation: Create a Conditional Access policy blocking legacy authentication for all users. Verify with sign-in logs that no legacy auth connections succeed after enforcement. Provide auditors with the CA policy export and sign-in log evidence.
Insufficient Audit Log Retention
Impact: Standard audit logs (E3) retain only 90 days. SOC 2 Type II covers 12 months. Auditors cannot verify control effectiveness for the full audit period if logs have been purged.
Remediation: Upgrade to E5 Advanced Audit (1-year retention) or configure log export to Azure Log Analytics / SIEM with 1-year retention. EPC Group recommends E5 as the simplest and most auditor-friendly solution.
DLP Policies in Test Mode Only
Impact: DLP policies running in simulation/test mode do not actually block data exfiltration. Auditors view test-mode policies as "designed but not operating" — they cannot be credited as effective controls.
Remediation: Move DLP policies from simulation to enforcement mode. Run simulation for 2-4 weeks to tune false positives, then enforce before the audit period begins. Document the simulation-to-enforcement timeline for auditors.
Stale Accounts with Active Access
Impact: Accounts for former employees, expired contractors, or unused service accounts that remain enabled represent unauthorized access paths. Auditors query Entra ID for accounts with no sign-in in 90+ days.
Remediation: Implement automated access reviews in Entra ID Governance that quarterly review all user accounts and disable accounts with no sign-in activity in 90 days. Provide auditors with access review completion reports.
Undocumented Incident Response
Impact: Security incidents occurred during the audit period (phishing, blocked attacks, suspicious sign-ins) but response actions were not documented. Auditors need evidence of detection, investigation, containment, and resolution.
Remediation: Configure Microsoft Sentinel or Defender XDR to create incidents for all security events. Document response actions in the incident ticket. Generate a monthly incident summary report showing detection-to-resolution timeline.
Continuous Compliance Monitoring
SOC 2 is not a one-time certification — it requires continuous control effectiveness. Configurations drift, new users bypass policies, and new threats emerge. Continuous monitoring ensures your controls remain effective between annual audits.
Compliance Manager Score
Microsoft Purview Compliance Manager provides a real-time compliance score (0-100%) that updates as configurations change. Set alerts for score drops below your target threshold. Review weekly to catch drift early.
Microsoft Secure Score
Tracks security posture across Microsoft 365 with actionable recommendations. Each recommendation maps to SOC 2 controls. Target 80%+ Secure Score for SOC 2 readiness.
Automated Access Reviews
Entra ID Governance access reviews run quarterly, automatically flagging accounts with no sign-in activity, excessive permissions, or expired guest access. Reviewers approve or deny access directly in the portal.
SOC 2 Dashboard (Power BI)
EPC Group builds custom Power BI dashboards that pull data from Microsoft Graph, Purview APIs, and Sentinel to display real-time SOC 2 control metrics: MFA adoption, DLP enforcement, audit log completeness, and incident response times.
Related Enterprise Guides
Microsoft 365 Consulting
Full-spectrum Microsoft 365 consulting for enterprise deployments, migrations, governance, and optimization.
Regulated Industry Compliance
HIPAA, SOC 2, FedRAMP, and CMMC compliance consulting for Microsoft 365 environments.
Audit-Ready Analytics
Build an analytics compliance framework with audit trails, data lineage, and governance controls.
Frequently Asked Questions
How do you achieve SOC 2 compliance on Microsoft 365?
Achieving SOC 2 compliance on Microsoft 365 requires mapping the AICPA Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) to specific Microsoft 365 controls and configurations. Key steps include: 1) Implement Conditional Access policies enforcing MFA, compliant devices, and location-based access. 2) Configure Data Loss Prevention (DLP) policies to prevent unauthorized data sharing. 3) Enable Unified Audit Logging and retain logs for the audit period (minimum 12 months). 4) Deploy Microsoft Purview Information Protection for data classification and labeling. 5) Configure retention policies for email, SharePoint, and Teams. 6) Implement incident response procedures using Microsoft Sentinel or Defender XDR. 7) Generate evidence packages from Microsoft Purview Compliance Manager for auditor review. Microsoft 365 E5 provides the most comprehensive SOC 2 control coverage, including advanced audit, insider risk management, and eDiscovery. EPC Group has guided SaaS companies, financial services firms, and healthcare organizations through SOC 2 Type II audits using Microsoft 365 as the primary control platform.
What are the SOC 2 Trust Service Criteria?
SOC 2 is based on five Trust Service Criteria (TSC) defined by the AICPA: 1) Security (Common Criteria) — required for all SOC 2 reports. Controls that protect against unauthorized access, both physical and logical. In Microsoft 365: Conditional Access, MFA, Entra ID Protection, Microsoft Defender for Office 365. 2) Availability — controls ensuring systems are operational and accessible as committed. In M365: Service Health monitoring, geo-redundant architecture, SLA agreements, disaster recovery configuration. 3) Processing Integrity — controls ensuring data processing is complete, accurate, timely, and authorized. In M365: Power Automate audit trails, data validation rules, eDiscovery for processing verification. 4) Confidentiality — controls protecting information designated as confidential. In M365: DLP policies, sensitivity labels, encryption (Microsoft Purview Information Protection), conditional access restricting downloads. 5) Privacy — controls over collection, use, retention, disclosure, and disposal of personal information. In M365: retention policies, data subject request workflows, privacy impact assessments. Most SOC 2 audits include Security (mandatory) plus one or two additional criteria relevant to the business.
What Microsoft 365 license is required for SOC 2 compliance?
While SOC 2 compliance can technically be achieved on any Microsoft 365 tier, E5 provides the most comprehensive control coverage: Microsoft 365 E3 ($36/user/month) provides: Conditional Access, basic DLP, standard audit logging (90-day retention), basic retention policies, and Microsoft Defender for Office 365 Plan 1. Microsoft 365 E5 ($57/user/month) adds: Advanced Audit (1-year log retention, crucial audit events), Insider Risk Management, Communication Compliance, Records Management, eDiscovery Premium, Microsoft Defender for Cloud Apps, and Microsoft Purview Compliance Manager (SOC 2 assessment templates). Key gap in E3: standard audit logs are retained for only 90 days — SOC 2 auditors typically require 12 months of logs. E5 Advanced Audit extends retention to 1 year and adds crucial audit events (MailItemsAccessed, Send, SearchQueryInitiated) that auditors specifically request. EPC Group recommends E5 for any organization pursuing SOC 2 Type II. The $21/user/month premium over E3 is a fraction of the cost of compensating controls or third-party audit logging solutions.
How do Conditional Access policies support SOC 2 controls?
Conditional Access policies in Entra ID are the primary enforcement mechanism for SOC 2 logical access controls (CC6.1, CC6.2, CC6.3). Key policies for SOC 2 include: 1) Require MFA for all users, all cloud apps, all locations — this satisfies the "multi-factor authentication" control that auditors look for first. 2) Block legacy authentication protocols — legacy protocols (POP3, IMAP, SMTP Auth) bypass MFA and represent an uncontrolled access path. 3) Require compliant or Hybrid Azure AD Joined devices — ensures only managed, patched devices access corporate data. 4) Block access from untrusted locations — restrict access to corporate IP ranges and trusted countries. 5) Require app protection policies on mobile devices — enforce data separation between corporate and personal data on BYOD devices. 6) Session controls — limit session duration, require re-authentication for sensitive apps, and prevent download/print of confidential files. EPC Group deploys a baseline of 12-15 Conditional Access policies that map directly to SOC 2 Common Criteria for logical access, and documents each policy's mapping to specific CC controls for auditor evidence packages.
What DLP policies are needed for SOC 2 compliance?
Data Loss Prevention (DLP) policies in Microsoft Purview address SOC 2 Confidentiality and Privacy criteria by preventing unauthorized data sharing. Essential DLP policies for SOC 2 include: 1) Financial data protection — detect and block sharing of credit card numbers, bank account numbers, and financial statements outside the organization via email, Teams, and SharePoint. 2) PII protection — detect Social Security numbers, passport numbers, driver's license numbers in email attachments and cloud storage; block external sharing and notify compliance team. 3) Confidential document protection — use sensitivity labels to classify documents as "Confidential" and enforce DLP rules that prevent external sharing, printing, or downloading of labeled content. 4) Endpoint DLP — extend DLP to Windows and macOS devices, blocking copy-to-USB, upload to personal cloud storage, and print of sensitive documents. 5) Custom policies — detect industry-specific data types (healthcare: PHI patterns; financial: SWIFT codes, CUSIP numbers). EPC Group configures DLP policies in simulation mode first (2-4 weeks) to measure false positive rates before enforcement, preventing business disruption while ensuring auditors see active, enforced policies during the audit period.
How long must audit logs be retained for SOC 2?
SOC 2 does not specify a minimum log retention period, but auditors typically require logs covering the entire audit period — which is 12 months for a Type II report. Microsoft 365 log retention: Standard Audit (E3): 90 days for non-admin activities, 180 days for admin activities. This is insufficient for SOC 2 Type II. Advanced Audit (E5): 1 year for all audit log types, with the option to configure 10-year retention policies using Audit Log Retention Policies in Purview. Advanced Audit also captures crucial events that auditors specifically request: MailItemsAccessed (who read which emails and when), Send (email sending with message details), and SearchQueryInitiated (what users searched for in Exchange and SharePoint). For organizations on E3, compensating controls include: exporting audit logs to Azure Log Analytics (custom retention), forwarding logs to a SIEM (Splunk, Sentinel), or using third-party log aggregation. EPC Group recommends E5 Advanced Audit as the simplest path — it eliminates the need for external log management and provides the audit events that SOC 2 auditors expect to see.
How do you collect evidence for SOC 2 auditors from Microsoft 365?
Evidence collection is the most time-consuming part of a SOC 2 audit. Microsoft 365 provides multiple evidence sources: 1) Microsoft Purview Compliance Manager — provides pre-built SOC 2 assessment templates that map Microsoft 365 controls to Trust Service Criteria. Export the assessment as a report showing control status, evidence, and improvement actions. 2) Conditional Access policy export — export all CA policies as JSON from Entra ID for auditor review. 3) Audit log search — run targeted searches in Microsoft Purview for specific events (user sign-ins, file access, admin changes) and export results as CSV. 4) DLP policy activity reports — export DLP matches, overrides, and false positives from the Purview compliance portal. 5) Defender reports — export threat detection, blocked emails, and incident response actions. 6) Entra ID sign-in logs — export sign-in logs showing MFA enforcement, location, device compliance, and CA policy application. 7) Retention policy documentation — export retention labels and policies showing data lifecycle management. EPC Group creates a SOC 2 evidence binder — a structured document package mapping each Trust Service Criteria to the specific Microsoft 365 control, configuration screenshot, and log evidence that proves the control was operating effectively during the audit period.
What are common SOC 2 audit findings on Microsoft 365?
The five most common SOC 2 findings EPC Group sees in Microsoft 365 environments: 1) Legacy authentication not blocked — auditors test for POP3, IMAP, and SMTP Auth access. If these protocols are not blocked by Conditional Access, it is a finding because they bypass MFA. 2) Audit log retention insufficient — organizations on E3 with 90-day retention cannot demonstrate control effectiveness over the 12-month Type II period. Auditors will flag this as a control gap. 3) No DLP policies enforced — having DLP policies in "test mode" or "simulation only" for the entire audit period means the control is not operating effectively. Auditors need to see enforced policies with documented exceptions. 4) Stale user accounts with active licenses — former employees, contractors, or service accounts that were never disabled represent unauthorized access paths. Auditors check Entra ID for accounts with no sign-in activity in 90+ days. 5) Missing incident response documentation — organizations have incidents during the audit period (phishing emails, blocked attacks) but do not document the response. Auditors need evidence that incidents were detected, investigated, and resolved per the incident response plan. EPC Group conducts a pre-audit readiness assessment 60-90 days before the audit period to identify and remediate these common findings before auditors arrive.
What is continuous compliance monitoring for SOC 2?
Continuous compliance monitoring ensures SOC 2 controls remain effective between annual audits — not just during the audit period. Microsoft 365 tools for continuous monitoring include: Microsoft Purview Compliance Manager — provides a compliance score (0-100%) that updates in real-time as configurations change, with alerts when score drops. Microsoft Secure Score — tracks security posture and recommends improvements mapped to SOC 2 controls. Microsoft Sentinel — SIEM platform that correlates security events across Microsoft 365 and generates alerts for control violations (failed MFA, impossible travel, mass file downloads). Microsoft Defender XDR — unified incident management across email, endpoint, identity, and cloud apps with automated investigation. Scheduled compliance reports — automated weekly/monthly exports of key metrics: MFA adoption rate, DLP policy matches, conditional access failures, stale accounts, and audit log completeness. EPC Group deploys a SOC 2 compliance dashboard in Power BI that pulls data from Microsoft Graph, Purview APIs, and Sentinel to provide real-time visibility into control effectiveness — giving leadership and auditors confidence that controls operate continuously, not just during audit sampling.
Prepare for Your SOC 2 Audit
Start with a SOC 2 Readiness Assessment. EPC Group audits your Microsoft 365 configuration against all Trust Service Criteria, identifies control gaps, remediates findings, and builds your evidence collection workflow — so auditors find zero surprises. Fixed-fee engagement starting at $25,000.