email-svg
Get in touch
info@canadiancyber.ca

SOC 2 in Microsoft 365

A practical guide to mapping SOC 2 Security controls to Microsoft 365 evidence. Learn what auditors expect from Entra ID, Conditional Access, logging, incident response, and governance.

Main Hero Image
SOC 2 Security • Microsoft 365 Evidence • Practical & Audit-Ready

SOC 2 in Microsoft 365

Evidence Mapping for the Security Criterion (Practical, Audit-Ready)

If your environment is Microsoft 365-first, SOC 2 doesn’t require a stack of new tools. It requires evidence that your security controls are real, consistent, and monitored.
This guide maps SOC 2 Security (Common Criteria) to Microsoft 365 evidence you can collect fast so your audit doesn’t turn into a screenshot scramble.

What SOC 2 tests
Controls that prevent, detect, and respond over time.
What auditors need
Policy, configuration proof, logs, and review records.
Fastest win
A SharePoint evidence pack with repeatable exports and samples.

Who this is for

  • SaaS companies and service providers running on Microsoft 365 + Entra ID (Azure AD)
  • Teams preparing for SOC 2 Type I or Type II
  • vCISO / security leads who need a repeatable evidence pack in SharePoint

What “SOC 2 Security” actually means (plain English)

The SOC 2 Security criterion is about whether you have controls to limit unauthorized access, prevent and detect misuse, respond to incidents, manage change, and keep systems protected.

What auditors care about
  • Policies exist and are approved
  • Configurations enforce those policies
  • Activity is logged and reviewed
  • Exceptions are tracked
  • Incidents are handled consistently

Before you map evidence: define your Microsoft 365 scope

Write a clear scope statement in your SOC 2 system description. Keep it simple and defensible.

  • Identity: Entra ID (Azure AD), MFA, Conditional Access
  • Messaging + collaboration: Exchange Online, Teams, SharePoint/OneDrive
  • Device management (if used): Intune
  • Security tooling (if used): Defender (Office 365, Endpoint, Cloud Apps), Purview (DLP)
  • Admin + monitoring: Unified Audit Log, M365 admin center, Entra admin center
Tip:
Evidence is easier when scope is clear.

The Evidence Mapping: SOC 2 Security → Microsoft 365 Proof

Below are common SOC 2 Security control areas auditors test, and Microsoft 365 evidence you can pull.
Exact CC numbers vary by auditor, so this mapping is practical and defensible.

1) Security governance (policies, ownership, oversight)
What auditors ask
  • Do you have security policies approved by management?
  • Are responsibilities assigned and reviewed?
Microsoft 365 evidence
  • SharePoint policy library (InfoSec, Acceptable Use, Access Control, IR, Change Mgmt)
  • Approval/version control: approved PDFs, version history, review dates
  • Security role assignments: export of Global Admins and privileged roles
Strong proof:
quarterly management/security minutes referencing M365 posture + action tracker for improvements.
Common gaps:
policies outdated or unsigned; admin roles undocumented.

2) Identity and access control (largest M365 SOC 2 area)
What auditors ask
  • How do you prevent unauthorized access?
  • Is MFA enforced?
  • Is access removed when someone leaves?
Microsoft 365 evidence
  • Conditional Access policies (screenshots or exports)
  • MFA enforcement settings and proof of coverage
  • Entra sign-in logs (sample showing CA/MFA applied)
  • Joiner–Mover–Leaver samples: HR ticket → account → groups → access; termination → disable → revoke
  • Quarterly access reviews: admin role review + group membership review
Strong proof:
PIM (if used), break-glass accounts documented and monitored, admin restrictions stronger than normal users.
Common gaps:
MFA enabled but not enforced; too many Global Admins; no review cadence.

3) Logical access to data (SharePoint/Teams/OneDrive permissions)
What auditors ask
  • How do you control access to sensitive data?
  • How do you prevent oversharing?
Microsoft 365 evidence
  • SharePoint site permission settings (screenshots)
  • External sharing configuration (tenant-level settings)
  • Sensitivity labels (if used)
  • DLP policies (if used)
  • Teams guest access settings
Strong proof:
periodic review of external sharing and guest users + a standard for who can create Teams/sites.
Common gaps:
anyone can share externally; guest users are not reviewed.

4) Security monitoring and logging
What auditors ask
  • Are logs collected and reviewed?
  • How do you detect suspicious activity?
Microsoft 365 evidence
  • Microsoft Purview Audit / Unified Audit Log enabled
  • Alert policies (if configured)
  • Defender alerts (if you use Defender)
  • Evidence of log review: checklist + tickets created from alerts
Strong proof:
a simple log review SOP (what, frequency, owner, escalation triggers).
Common gaps:
logs exist but no review evidence; escalation path unclear.

5) Incident response (account compromise scenarios)
What auditors ask
  • How do you respond to incidents?
  • How do you document severity and actions?
Microsoft 365 evidence
  • Incident Response Plan (approved)
  • Incident tickets showing: alert → containment → eradication → recovery
  • Post-incident review notes
Strong proof:
tabletop record for M365 scenarios (compromised admin, mass sharing, phishing through O365).
Common gaps:
incidents handled in chat and not recorded; no post-incident review evidence.

6) Change management (M365 config + access changes)
What auditors ask
  • Are changes authorized and tracked?
  • Do you prevent unauthorized configuration changes?
Microsoft 365 evidence
  • Admin audit logs showing configuration changes
  • Tickets/approvals for Conditional Access changes, role assignments, policy updates
  • Change samples: request → approval → implementation → validation
Strong proof:
limited admin roles + change approvals for security-impacting settings.
Common gaps:
admins make changes without tickets; no validation evidence after changes.

7) Risk management and vendor management (as it relates to M365)
What auditors ask
  • Do you assess risks that affect your system?
  • Do you manage vendors you rely on?
Microsoft 365 evidence
  • Risk register entries (account takeover, external sharing, admin privilege)
  • Vendor due diligence: Microsoft as a key vendor (reliance, review cadence, contract terms)
  • Configuration baseline review notes (what you checked, what changed)
Common gaps:
vendor management missing for “big vendors”; risks not tracked to actions.

The “SOC 2 M365 Evidence Pack” (copy this structure)

Create a SharePoint folder that mirrors the audit. Keep naming consistent.

/SOC2/Evidence/Security/
Governance_&_Policies/
Identity_&_Access_(Entra_ID)/
SharePoint_Teams_OneDrive_Access_Control/
Logging_&_Monitoring/
Incident_Response/
Change_Management/
Risk_&_Vendor_Management/
Training_&_Awareness/
Inside each folder, store: approved policies, exports/screenshots, ticket samples, review checklists, and meeting minutes.
Auditors love this because it reduces hunting.

M365-first SOC 2 evidence mapping (fastest win)
If you’re preparing for SOC 2 and you run on Microsoft 365, the fastest win is mapping controls to evidence before the audit begins.
Canadian Cyber vCISO support can deliver:
  • a SOC 2 Security control-to-evidence map for Microsoft 365
  • an audit-ready SharePoint evidence pack
  • a 30/60/90-day remediation plan for gaps
  • tabletop exercise evidence for Type II readiness

Common mistakes in Microsoft 365 SOC 2 audits (avoid these)

  • Screenshots with no context (auditors need who/what/when)
  • MFA partially enforced (admins first)
  • No proof of periodic reviews (access, guests, logs)
  • Incidents not documented (even minor ones)
  • Change management missing for M365 configuration changes

FAQ: SOC 2 in Microsoft 365

Quick answers
Do we need E5 to pass SOC 2?
Not necessarily. SOC 2 is about controls and evidence. Strong governance and consistent processes matter most. Higher licensing can make evidence easier, but it is not required.
Is Microsoft responsible for security?
Microsoft secures the cloud platform. You are responsible for configuration, access, sharing, and how you use the services. That’s where auditors focus.
Type I or Type II first?
Many teams start with Type I and then move to Type II. Your timeline depends on whether you already have evidence over time.

 Download the SOC 2 M365 Evidence Checklist
Want a checklist you can hand to IT and Security? Use this to collect evidence without scrambling.
Includes:
  • evidence items by control area
  • sample ticket templates for changes and incidents
  • review cadence tracker (weekly/monthly/quarterly)
  • suggested exports/screenshots from Microsoft 365

Follow Canadian Cyber
Practical cybersecurity + compliance guidance for Canadian teams:

© 2026 Canadian Cyber. All rights reserved.

 

Related Post

blog thum
2026
Mar

Turning a Customer Security Questionnaire into SOC 2 Scope

A case study showing how a vCISO used customer security questionnaires to define SOC 2 scope, streamline evidence collection, and accelerate audit readiness.
blog thum
2026
Mar

SOC 2 Type II for MDR Providers

A practical guide explaining how MDR providers prove SOC 2 Type II controls for customer telemetry, analyst access, and operational security during vendor security reviews.
blog thum
2026
Mar

SOC 2 for EdTech in Canada

A practical guide showing how EdTech companies use SOC 2 to prove student data security to schools, districts, and parents through clear controls and evidence.
blog thum
2026
Mar

SOC 2 for HR Tech

A practical guide showing how HR tech companies prove SOC 2 confidentiality controls for employee data and create trust packages that help pass procurement security reviews faster.
blog thum
2026
Mar

SOC 2 in Microsoft 365

A practical guide to mapping SOC 2 Security controls to Microsoft 365 evidence. Learn what auditors expect from Entra ID, Conditional Access, logging, incident response, and governance.
blog thum
2026
Mar

The vCISO Advantage in 2026

A practical guide to how vCISO services help Canadian companies move from reactive security to a structured, audit-ready security program with governance, evidence, and board reporting.
blog thum
2026
Mar

OSFI B-13 Lessons for Every Canadian Company

A practical guide to OSFI B-13 cyber risk controls that any Canadian company can adopt. Learn how vCISOs borrow governance, resilience, and cybersecurity practices from B-13 to build stronger security programs.
blog thum
2026
Mar

How a vCISO Builds a 12-Month Third-Party Security Calendar

A practical guide showing how a vCISO builds a vendor risk management calendar and board-ready vendor risk pack to govern third-party security for ISO 27001 and SOC 2.
blog thum
2026
Mar

Cloud Logging Evidence for ISO 27017

A practical guide to ISO 27017 cloud logging evidence using AWS and Azure examples. Learn what auditors actually ask for—logging coverage, integrity protection, monitoring alerts, and retention—and how to package cloud logging proof in an audit-ready evidence pack.