SOC 2 Compliance Checklist — Azure
In the print dialog, choose Save as PDF as the destination.
Framework: AICPA Trust Services Criteria (TSC) 2017 with 2022 revised points of focus Scope: Security (mandatory) + Availability, Confidentiality (common add-ons) Status legend:
[ ]Not started ·[~]In progress ·[x]Complete
Before engaging your auditor
Do not represent any control as implemented until you have collected and retained evidence. Auditors require logs, screenshots, policy documents, and configuration exports — not just running services.
Shared Responsibility
Microsoft's SOC 2 report covers the physical infrastructure, hypervisor, and managed service platforms. Your SOC 2 report must cover your controls — Entra ID, logging, network, encryption, and processes running on top of Azure. Download Microsoft's compliance reports from Microsoft Service Trust Portal to use as vendor evidence.
CC1 — Control Environment
| # | Item | Status | Owner |
|---|---|---|---|
| 1.1 | Document an Information Security Policy approved by management | [ ] | CISO / Compliance |
| 1.2 | Define organizational roles and security responsibilities (RACI) | [ ] | CISO |
| 1.3 | Establish a security awareness training program; track completion annually | [ ] | HR / Security |
| 1.4 | Conduct background checks for employees with access to customer data | [ ] | HR |
| 1.5 | Enable Azure Management Groups with Azure Policy to enforce subscription-level guardrails | [ ] | Cloud Admin |
| 1.6 | Download Microsoft Azure SOC 2 report from Service Trust Portal and retain as vendor evidence | [ ] | Compliance |
Reference: Microsoft Service Trust Portal → · Azure Shared Responsibility Model →
CC2 — Communication and Information
| # | Item | Status | Owner |
|---|---|---|---|
| 2.1 | Publish a customer-facing security page or Trust Center | [ ] | Security / Marketing |
| 2.2 | Maintain an incident notification process (SLA for notifying customers) | [ ] | Security |
| 2.3 | Enable Azure Activity Log in all subscriptions as the primary audit information source | [ ] | Cloud Admin |
| 2.4 | Document and communicate a security incident reporting channel internally | [ ] | Security |
Reference: Logging & Monitoring →
CC3 — Risk Assessment
| # | Item | Status | Owner |
|---|---|---|---|
| 3.1 | Conduct a formal risk assessment annually; document in a risk register | [ ] | Compliance |
| 3.2 | Enable Microsoft Defender for Cloud for continuous vulnerability assessment | [ ] | Security |
| 3.3 | Enable Defender for Cloud and activate the Azure Security Benchmark (ASB) standard | [ ] | Cloud Admin |
| 3.4 | Review Defender for Cloud recommendations monthly and track remediation | [ ] | Security |
| 3.5 | Assess risks posed by third-party vendors and document mitigations | [ ] | Compliance |
Reference: Microsoft Defender for Cloud →
CC4 — Monitoring Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 4.1 | Enable Azure Policy with built-in SOC 2 initiative across all subscriptions | [ ] | Cloud Admin |
| 4.2 | Enable Microsoft Defender for Cloud on all subscriptions and resource types | [ ] | Cloud Admin |
| 4.3 | Configure Azure Monitor alerts for critical security events (sign-in failures, role changes, policy violations) | [ ] | Cloud Admin |
| 4.4 | Conduct a penetration test at least annually; retain the report | [ ] | Security |
| 4.5 | Perform quarterly access reviews via Entra ID Access Reviews; document and remediate | [ ] | Security |
Reference: Logging & Monitoring →
CC5 — Control Activities
| # | Item | Status | Owner |
|---|---|---|---|
| 5.1 | Apply least-privilege Azure RBAC; no use of Owner role for day-to-day operations | [ ] | Cloud Admin |
| 5.2 | Use Entra ID with Conditional Access for all human access; no long-lived shared accounts | [ ] | Cloud Admin |
| 5.3 | Enforce segregation of duties — developers cannot directly deploy to production | [ ] | Engineering Lead |
| 5.4 | Require pull-request reviews and CI pipeline success before production deployments | [ ] | Engineering Lead |
| 5.5 | All infrastructure defined as code (Terraform, Bicep, ARM) with version control | [ ] | Cloud Admin |
Reference: IAM & Access Control →
CC6 — Logical and Physical Access Controls
CC6.1 — Logical Access Security
| # | Item | Status | Owner |
|---|---|---|---|
| 6.1.1 | Protect all Global Administrator accounts with phishing-resistant MFA (FIDO2 or certificate) | [ ] | Cloud Admin |
| 6.1.2 | Enforce MFA for all Entra ID users via Conditional Access policy | [ ] | Cloud Admin |
| 6.1.3 | Enable Privileged Identity Management (PIM) for all privileged roles — just-in-time access | [ ] | Cloud Admin |
| 6.1.4 | Set strong password policy and enable Entra ID Password Protection | [ ] | Cloud Admin |
| 6.1.5 | Enable automatic key rotation in Azure Key Vault for all customer-managed keys | [ ] | Cloud Admin |
| 6.1.6 | Enable Defender for Storage and block public Blob access at the storage account level | [ ] | Cloud Admin |
| 6.1.7 | Enable Azure Disk Encryption (ADE) or server-side encryption with CMK on all VM disks | [ ] | Cloud Admin |
CC6.2 — New Access Provisioning
| # | Item | Status | Owner |
|---|---|---|---|
| 6.2.1 | Use Entra ID (with IdP federation or SCIM) for all engineer and operator access | [ ] | Cloud Admin |
| 6.2.2 | Document a formal access request and approval process | [ ] | Security |
| 6.2.3 | Grant access via Azure RBAC roles at the resource group or resource scope; avoid subscription-scope Owner assignments | [ ] | Cloud Admin |
CC6.3 — Access Removal
| # | Item | Status | Owner |
|---|---|---|---|
| 6.3.1 | Deprovision Entra ID accounts within 24 hours of termination (automate via SCIM from HR system) | [ ] | HR / Cloud Admin |
| 6.3.2 | Revoke all active sessions and refresh tokens on account termination | [ ] | Cloud Admin |
| 6.3.3 | Flag accounts with no sign-in activity for 90+ days using Entra ID Inactive Users report | [ ] | Cloud Admin |
| 6.3.4 | Run quarterly Entra ID Access Reviews for all privileged roles; remove unjustified access | [ ] | Cloud Admin |
CC6.6 — Network Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.6.1 | Do not use the default NSG rules as-is — replace with explicit least-privilege rules | [ ] | Cloud Admin |
| 6.6.2 | Deploy production workloads in private subnets; public subnets for Application Gateways only | [ ] | Cloud Admin |
| 6.6.3 | No NSG allows unrestricted inbound access (0.0.0.0/0) on admin ports (22, 3389) | [ ] | Cloud Admin |
| 6.6.4 | Enable NSG Flow Logs for all NSGs; send to a Log Analytics workspace | [ ] | Cloud Admin |
| 6.6.5 | Deploy Azure WAF on all public-facing Application Gateways and Azure Front Door | [ ] | Cloud Admin |
CC6.7 — Data Transmission Controls
| # | Item | Status | Owner |
|---|---|---|---|
| 6.7.1 | Enforce TLS 1.2+ on all public endpoints; disable TLS 1.0 and 1.1 | [ ] | Cloud Admin |
| 6.7.2 | Enable "Secure transfer required" on all Azure Storage accounts | [ ] | Cloud Admin |
| 6.7.3 | Store all secrets, connection strings, and certificates in Azure Key Vault; never in code or app config | [ ] | Engineering |
| 6.7.4 | Enable automatic rotation for Key Vault secrets and certificates | [ ] | Cloud Admin |
Reference: Network Security → · Encryption →
CC7 — System Operations
| # | Item | Status | Owner |
|---|---|---|---|
| 7.1 | Enable Entra ID audit logs and send to a Log Analytics workspace | [ ] | Cloud Admin |
| 7.2 | Send Azure Activity Logs for all subscriptions to a central Log Analytics workspace | [ ] | Cloud Admin |
| 7.3 | Enable resource-level diagnostic logs for critical services (Key Vault, Storage, SQL, App Service) | [ ] | Cloud Admin |
| 7.4 | Enable Microsoft Sentinel on the central workspace; configure analytics rules for HIGH alerts | [ ] | Cloud Admin |
| 7.5 | Enable Defender for Storage, SQL, Key Vault, and Containers | [ ] | Cloud Admin |
| 7.6 | Enable Microsoft Defender for Servers and Defender Vulnerability Management on all VMs | [ ] | Cloud Admin |
| 7.7 | Document and test an incident response runbook; review quarterly | [ ] | Security |
| 7.8 | Configure Logic App playbooks or Action Groups to route HIGH/CRITICAL Sentinel incidents to a ticketing system | [ ] | Cloud Admin |
Reference: Logging & Monitoring → · Incident Response →
CC8 — Change Management
| # | Item | Status | Owner |
|---|---|---|---|
| 8.1 | All production infrastructure changes made via IaC (no manual portal changes) | [ ] | Cloud Admin |
| 8.2 | Require peer review (pull request) for all IaC changes | [ ] | Engineering Lead |
| 8.3 | CI/CD pipeline runs security scans (SAST, dependency scan, tfsec / checkov) before deployment | [ ] | Engineering |
| 8.4 | Enable Azure Policy in Audit/Deny mode to detect drift from approved baselines | [ ] | Cloud Admin |
| 8.5 | Maintain a change log; document major infrastructure changes with rationale | [ ] | Cloud Admin |
| 8.6 | Test deployments in a staging environment before production | [ ] | Engineering |
CC9 — Risk Mitigation
| # | Item | Status | Owner |
|---|---|---|---|
| 9.1 | Maintain a vendor inventory; assess each vendor's SOC 2 / ISO 27001 status annually | [ ] | Compliance |
| 9.2 | Obtain Microsoft Azure SOC 2 report annually from Service Trust Portal as vendor evidence | [ ] | Compliance |
| 9.3 | Enable Azure Backup with geo-redundant storage for all critical data stores | [ ] | Cloud Admin |
| 9.4 | Document and test BCP/DRP; verify RTO and RPO targets can be met | [ ] | Cloud Admin |
| 9.5 | Use Azure Site Recovery or availability zones to meet defined availability SLAs | [ ] | Cloud Admin |
Reference: Service Trust Portal → · Azure Backup →
Microsoft Purview Compliance Manager
Microsoft Purview Compliance Manager provides a pre-built SOC 2 assessment that automatically maps evidence from Defender for Cloud, Azure Policy, and Entra ID to each TSC criterion. Enable it to automate evidence collection and get a continuous compliance score.
Reference: Microsoft Purview Compliance Manager →