9.1 Service Trust Portal and Assurance Resources

What the Service Trust Portal Is

The Service Trust Portal (STP), reached at servicetrust.microsoft.com, is Microsoft's central library for publishing the independent, third-party audit reports and compliance documentation for its cloud services — Azure, Microsoft 365, Dynamics 365, Power Platform, and more. When your auditor, risk owner, or customer asks "prove that Microsoft's cloud is certified for ISO 27001" or "give me the SOC 2 Type 2 report," the STP is where you download that evidence. It is assurance about Microsoft's side of the shared-responsibility model, not a tool that touches your tenant.

Most documents on the STP require you to sign in with a Microsoft cloud (Microsoft Entra) account — they are made available under a non-disclosure agreement, so anonymous browsing is limited. Once signed in, you can read and download the reports your subscription entitles you to.

Key categories of documents

The STP gives you certificates, attestation letters, assessment reports, white papers, and FAQs that you can attach to your own regulatory filings. Microsoft achieves the certification once for its platform; you reuse the evidence as part of demonstrating your own compliance.

Why a separate portal exists

In the shared responsibility model, Microsoft is responsible for the security and compliance of the cloud (physical datacenters, host infrastructure, the platform's certifications), while you remain responsible for security and compliance in the cloud (your data, identities, configurations, and access). An auditor reviewing your environment will still ask for proof that the underlying platform is trustworthy. Rather than re-auditing Microsoft's datacenters yourself — which is impossible — you point to the independent attestations Microsoft has already obtained.

The Service Trust Portal is the delivery mechanism for exactly that evidence. It exists because compliance is never "a single button": the provider supplies trust documentation and platform certifications, and the customer still owns its internal policies, decisions, and risk acceptance.

Think of the STP as a filing cabinet of Microsoft's compliance proof. It answers "is Microsoft's cloud certified?" — it never answers "is my tenant configured correctly?" It never changes tenant configuration and never produces a posture score for you; anything that scans, classifies, labels, retains, or investigates your data lives in Microsoft Purview instead.

My Library, Notifications, and the Trust Documents Layout

The STP includes a My Library feature. You add the documents you reference most often — for example your industry's SOC 2 and ISO 27001 reports — to My Library so they are one click away, and you can opt in to notifications so Microsoft emails you when a saved document is refreshed (audit reports are reissued periodically as new audit cycles complete). This matters in practice because attestations have validity windows; an out-of-date SOC report is not acceptable evidence.

Beyond raw reports, the portal surfaces trust content such as the audited control descriptions, regional compliance summaries, and guidance on how Microsoft implements specific controls. Historically some of this overlapped with the old Compliance Manager templates; today Compliance Manager itself lives in the Microsoft Purview portal, and the STP remains the document/evidence library.

The single most important SC-900 distinction

Learners constantly confuse the STP with Compliance Manager. Keep them in separate lanes:

• Service Trust Portal = evidence about Microsoft's cloud (their auditors, their certifications). It is read-only documentation. It does not score you.
• Compliance Manager (in Microsoft Purview) = a workspace that measures your tenant's compliance posture, gives you a compliance score, and tracks improvement actions you complete.

Worked selection scenario

A security architect must hand the company's external auditor proof that Azure is ISO/IEC 27001 certified before a regulated workload goes live. Which resource?

• The need is a third-party certificate about Microsoft's platform → Service Trust Portal (download the ISO/IEC 27001 certificate and assessment report).
• It is not Compliance Manager (that would score the customer's own controls), not Microsoft Priva (privacy management), and not Microsoft Sentinel (SIEM/SOAR).

Common trap: answer choices may pair the STP with a Purview data control like data loss prevention (DLP) or eDiscovery. Those operate on your tenant's content and activity. If the verb is download, review, or provide audit/assurance documentation about Microsoft, the answer is the Service Trust Portal — every time.

A second worked scenario

A customer's procurement team wants to verify, before signing, that Microsoft 365 maintains an ISO/IEC 27018 certification (the code of practice for protecting personal data in public clouds). They sign in to the Service Trust Portal, open the ISO category, download the certificate and assessment report, and add it to My Library so they are notified when the next audit cycle reissues it. No Purview solution is involved because nothing about their tenant is being measured — they are validating Microsoft's platform.

Contrast that with a near-identical-sounding scenario: "verify that our Microsoft 365 configuration meets ISO 27001 controls." That is Compliance Manager, because the verb shifts from download Microsoft's certificate to assess our own controls and track our score. The two scenarios use the same standard name but resolve to different products — which is precisely the distinction SC-900 is testing. Keep the question "whose compliance is being proven, Microsoft's or mine?" at the front of your mind, and the STP-versus-Compliance-Manager items become easy.