Domain 4 of 4 · Chapter 1 of 4

Service Trust Portal and Privacy

Two directions of trust

Ask one question of everything in this domain and it sorts itself: is this about whether you can trust Microsoft, or about the duties you owe your own users? That single question splits the page cleanly in two.

Microsoft's obligations to you

When you move data into a cloud you do not run, you need proof the provider handles it well. Microsoft publishes that proof in two forms. The Service Trust Portal[1] is where independent auditors' reports and compliance documents live, and the privacy principles[2] are the contractual commitments Microsoft makes about how it treats your data. Both flow one way, from Microsoft to you. You read them; you do not configure them.

Your obligations to your users

The moment you hold other people's personal data, privacy law makes you responsible for it. Microsoft Priva[3] is the product you operate to meet that responsibility, finding personal data in your Microsoft 365 environment and reducing the privacy risks around it. A related surface, Purview Compliance Manager, measures how well your tenant meets its regulatory obligations overall, and has its own subtopic (Purview compliance management).

The trap the exam sets is direction. The Service Trust Portal and Compliance Manager both deal with compliance, but one shows you Microsoft's evidence and the other measures your posture. Priva and the privacy principles both concern privacy, but one is a tool you run and the other is a promise Microsoft makes. Read every stem for who owns the obligation before you pick a service.

Two directions of trustMicrosoft's obligations to youprove Microsoft deserves trustService Trust Portalread Microsoft's audit evidencePrivacy principlesMicrosoft's commitments about your dataYour obligations to your usersmanage the data you holdMicrosoft Privafind and reduce privacy riskPurview Compliance Managermeasure your tenant's posture
Two directions of trust: the Service Trust Portal and privacy principles are Microsoft's obligations to you; Priva and Compliance Manager are your obligations to your users.

The Service Trust Portal

The Service Trust Portal (STP) is Microsoft's public site for publishing audit reports and other compliance information about its cloud services Get started with the Service Trust Portal[1]. Think of it as Microsoft's evidence locker: external auditors examine Microsoft 365, Azure, and Dynamics 365, and their findings are posted here for you to download.

What you find there

STP groups its content into a few areas:

  • Certifications, regulations, and standards. The independent audit artifacts: ISO/IEC (including ISO/IEC 27001 and the cloud-privacy code ISO/IEC 27018), SOC 1, SOC 2, and SOC 3 reports, FedRAMP, PCI DSS, CSA STAR, and national schemes.
  • Reports, whitepapers, and artifacts. Penetration-test attestations, business-continuity and disaster-recovery documents, privacy and data protection material, and FAQs.
  • Industry and regional resources. Guidance scoped to sectors such as financial services, healthcare, and government, and to specific regions.
  • Resources for your organization. Documents restricted to your tenant, based on your subscription and role.

A My Library feature lets you save documents and be notified when a newer version is published, so you can track the reports that matter to you Get started with the Service Trust Portal[1].

Access, and the portal it is not

Anyone can browse, but downloading many documents requires signing in with a Microsoft Entra organization account and accepting a non-disclosure agreement, and some restricted documents need a role such as Compliance Administrator or Security Reader Get started with the Service Trust Portal[1].

Here is the distinction the exam leans on hardest. The Service Trust Portal is where you read Microsoft's compliance evidence. The Microsoft Purview portal is where you do compliance work on your own tenant: run Compliance Manager, configure policies, review your score. Same word, compliance, opposite roles. If a stem asks where to obtain Microsoft's SOC or ISO report, the answer is the Service Trust Portal, never Compliance Manager or the Purview portal.

Service Trust PortalCertifications& standardsISO/IEC, SOC 1/2/3FedRAMP, PCI DSSCSA STAR, GDPRReports &whitepapersPen-test attestationsPrivacy & data protectionBCP/DR, FAQsIndustry &regionalFinancial, healthcareGovernment, mediaRegional complianceResources foryour organizationScoped to your tenantBy subscription & role
Service Trust Portal content: certifications and standards, reports and whitepapers, industry and regional resources, and tenant-scoped documents.

Microsoft's four privacy principles

Microsoft's privacy principles are the commitments it makes about how it handles the data you place in its commercial cloud. The current documentation groups that commitment into four areas SC-900: Microsoft's privacy principles[2]:

  • You control your data. Your data belongs to you. You can access, modify, or delete it, and Microsoft will not use it without your agreement. Microsoft does not use your data for advertising or mine it for marketing research, and any subprocessor it engages is bound by the same commitments.
  • You know where your data is located. Microsoft offers data residency options and is transparent about where your data is stored and processed, so you can meet geographic requirements.
  • Your data is secured at rest and in transit. Microsoft applies strong encryption, up to AES-256 for data at rest and industry-standard protocols such as TLS and IPsec in transit, with keys you can control through services like Azure Key Vault.
  • Microsoft defends your data. Microsoft directs government requests for your data to you, gives no government direct or unfettered access, and challenges demands in court where it can lawfully do so Privacy and data management overview[4].

These are contractual promises, grounded in the Product Terms and the Data Protection Addendum and validated by third-party audits such as ISO/IEC 27018 and ISO/IEC 27701, not a product you turn on Privacy and data management overview[4]. Hold that difference: the principles describe what Microsoft will do, while the next section covers Priva, the product you run on your own data.

Microsoft Priva

Everything so far pointed from Microsoft to you. Microsoft Priva points the other way: it is the product you operate on your own tenant to manage the personal data you hold Learn about Microsoft Priva[3]. Privacy regulations such as the GDPR give individuals rights over their personal data and make your organization accountable for it, so you first need to know what personal data you have and where the risks are.

Priva Privacy Risk Management

Priva's Privacy Risk Management solution gives you visibility into the personal data across your Microsoft 365 services, Exchange Online, SharePoint, OneDrive for Business, and Teams, identifying it with the same data classifications and sensitive information types that underpin Microsoft Purview Learn about Microsoft Priva[3]. It then flags privacy risks through built-in policy templates Priva Privacy Risk Management[5]:

  • Data minimization, to find and reduce personal data your organization keeps but no longer needs.
  • Data overexposure, to catch personal data that is accessible to too many people.
  • Data transfers, to spot personal data moving across departments or regional borders.

When a policy matches, Priva raises an alert and offers remediation such as making an item private, notifying its owner, or tagging it for review Priva Privacy Risk Management[5]. Priva evaluates only data inside your Microsoft 365 environment and sources you register through Purview; it does not reach a user's personal account. Do not confuse it with Purview's information protection tools, sensitivity labels, data loss prevention, and retention (information protection and governance), which classify and protect data broadly. Priva is specifically about privacy risk in personal data.

From finding data to answering a request

Knowing where personal data lives is what lets you answer a data subject request (DSR, also called a subject rights request), an individual's demand to see, correct, export, or delete the personal data you hold on them under laws like the GDPR Data Subject Requests[6]. The lifecycle is the same everywhere: someone submits a request, you locate their personal data in Microsoft 365, review and collate the matches, decide what to include and redact the rest, then respond by producing, correcting, or deleting it. Locating and producing that data across Microsoft 365 is handled with Microsoft Purview eDiscovery Microsoft Purview eDiscovery[7], covered in the insider risk, eDiscovery, and audit subtopic. Keep the division of labor the exam tests: Priva finds personal data and reduces its risk across your tenant, while Purview eDiscovery locates and produces one individual's data to satisfy a request.

1Submita data subject request2Locatedata in Microsoft 3653Reviewand collate matches4Decideand redact content5Respondproduce, correct, delete
The data subject request lifecycle, fulfilled with Microsoft Purview eDiscovery.

Exam-pattern recognition

These topics appear as short which-surface and privacy-versus-security questions. Anchor on direction and on who owns the data.

Where is Microsoft's audit report? The Service Trust Portal. If a stem asks for Microsoft's SOC 2, ISO/IEC certificate, or FedRAMP documentation, it is STP, not Compliance Manager and not the Purview portal.

Where do I measure my own compliance? Microsoft Purview Compliance Manager, which scores your tenant and lists improvement actions (its own Purview compliance management subtopic). STP shows Microsoft's evidence; Compliance Manager measures yours.

Which product finds personal data and privacy risk in my Microsoft 365? Microsoft Priva, through Privacy Risk Management. Purview information protection labels and protects data broadly; Priva is about privacy risk in personal data specifically.

Privacy or security? Privacy is the appropriate handling of personal data and the rights people have over it; security is protecting data from unauthorized access. A stem about consent, data subject rights, or personal-data handling is privacy; a stem about blocking attackers is security. The security and compliance concepts subtopic defines the split.

Name the four privacy principles. You control your data; you know where it is located; it is secured at rest and in transit; Microsoft defends it. If an option offers a fifth principle that is really a product feature, it is a distractor.

Where a compliance question goes: three surfaces

Question you are answeringService Trust PortalPurview Compliance ManagerMicrosoft Priva
Whose data or obligationMicrosoft's, shown to youYour tenant's compliance postureYour users' personal data you hold
Direction of trustMicrosoft's obligations to youYour obligations, measuredYour obligations to your users
What you do thereRead and download audit evidenceScore and improve complianceFind and remediate privacy risk
Example artifactSOC 2 report, ISO certificateImprovement actions, compliance scoreData overexposure policy, alerts
Read or actRead onlyAct on your tenantAct on your data

Decision tree

About Microsoft's cloud,or your own tenant?Microsoft's cloudYour own tenantDownloadable evidence,or commitments?Compliance posture,or personal data?Audit reportsCommitmentsPosturePersonal dataService Trust PortalSOC, ISO, FedRAMP reportsMicrosoft's privacyprinciples (commitments)Purview ComplianceManager (your score)Microsoft Privafind personal data risk

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The Service Trust Portal is Microsoft's audit evidence library, not your workspace

The Service Trust Portal (STP) is where Microsoft publishes the independent audit reports and compliance documentation for its cloud services, so you can download SOC 1, SOC 2, and SOC 3 reports, ISO/IEC certifications, FedRAMP and PCI DSS attestations, and Microsoft whitepapers. You go there to read evidence about Microsoft, not to configure anything on your tenant. If a question asks where to obtain Microsoft's SOC or ISO report, the answer is STP.

Trap Reaching for Microsoft Purview Compliance Manager to download Microsoft's SOC or ISO report; Compliance Manager measures your own tenant, it does not hand you Microsoft's audit artifacts.

7 questions test this
Read Microsoft's evidence in STP; do your own compliance in the Purview portal

The Service Trust Portal and the Microsoft Purview portal both say compliance but sit on opposite sides. STP is read-only evidence about Microsoft's cloud. The Microsoft Purview portal is where you act on your own tenant: run Compliance Manager, configure policies, and review your compliance score. Match the verb in the stem: obtain or download Microsoft's report points to STP, while assess, configure, or improve your posture points to the Purview portal.

Trap Assuming you configure your organization's compliance in the Service Trust Portal; STP is read-only Microsoft evidence, and tenant compliance work happens in the Microsoft Purview portal.

STP sorts its content into certifications, reports, industry, and org resources

STP organizes documents into a few areas: certifications, regulations, and standards (the ISO/IEC, SOC, FedRAMP, PCI DSS, and CSA STAR artifacts), reports and whitepapers (penetration-test attestations, privacy and data protection material, business continuity and disaster recovery), industry and regional resources, and resources scoped to your own organization. Knowing the buckets helps you locate the right evidence quickly.

4 questions test this
Downloading many STP documents needs an Entra account, and some need a role

Anyone can browse the Service Trust Portal, but downloading many documents requires signing in with a Microsoft Entra organization account and accepting a non-disclosure agreement for compliance materials. Restricted documents need a specific role such as Compliance Administrator or Security Reader. STP is public-facing but gated for its most sensitive audit content.

4 questions test this
Know Microsoft's four privacy principles by name

Microsoft frames its privacy commitment to commercial customers as four areas: you control your data, you know where your data is located, your data is secured at rest and in transit, and Microsoft defends your data. These are contractual commitments backed by the Product Terms and the Data Protection Addendum, not a product you configure.

Trap Picking an option that lists a fifth principle which is actually a product feature or a security control; the privacy principles are these four commitments, not a Priva feature or a portal setting.

You control your data means Microsoft will not mine it for advertising

Under the control-your-data principle, your data belongs to you: you can access, modify, or delete it, and Microsoft uses it only to provide the services you chose. Microsoft does not use your data for advertising or mine it for marketing research, and any subprocessor it engages is bound by the same commitments. This is the principle often paraphrased as no content-based advertising.

2 questions test this
Microsoft defends your data by directing government requests to you

Under the defend-your-data principle, Microsoft directs government and law-enforcement requests for your data to you rather than answering them itself, gives no government direct or unfettered access, and challenges demands in court where it can lawfully do so. It is a commitment about how Microsoft responds to third-party and government access attempts.

Microsoft Priva is a product you run on your own data, unlike STP and the principles

STP and the privacy principles describe Microsoft's obligations to you; Microsoft Priva flips the direction. Priva is the product your organization operates to manage the personal data it holds, meeting your privacy obligations to your own users. When a stem is about finding or reducing risk in personal data you store, the answer is Priva, not a Microsoft-published document.

Trap Treating Priva as something Microsoft runs to protect its own cloud; Priva acts on your tenant's personal data and is your responsibility to operate.

Priva Privacy Risk Management flags overexposure, transfers, and hoarding

Priva's Privacy Risk Management solution gives visibility into personal data across your Microsoft 365 services and flags privacy risk using built-in policy templates: data minimization (personal data kept but no longer needed), data overexposure (personal data open to too many people), and data transfers (personal data crossing departments or borders). On a match it raises an alert and offers remediation such as making an item private, notifying the owner, or tagging it for review.

12 questions test this
Priva only evaluates personal data inside your Microsoft 365 environment

Priva scans personal data in your organization's Microsoft 365 services (Exchange Online, SharePoint, OneDrive for Business, and Teams) plus sources you register through Microsoft Purview, using Purview's data classifications and sensitive information types to identify it. It does not reach a user's personal Microsoft account or arbitrary systems outside your tenant.

Trap Assuming Priva can scan a user's personal Microsoft account or data outside Microsoft 365; Priva is limited to your organization's Microsoft 365 environment and Purview-registered sources.

3 questions test this
A data subject request is a person's demand to see or delete their personal data

A data subject request (DSR), also called a subject rights request, is an individual's request to access, correct, export, or delete the personal data an organization holds on them, a right granted by privacy laws such as the GDPR. Handling one obliges the organization to first find that person's personal data, then decide what to produce, redact, correct, or erase.

Priva finds privacy risk; Purview eDiscovery produces one person's data for a DSR

Keep the division of labor: Priva finds and reduces privacy risk across your tenant's personal data, while locating and producing one individual's data to satisfy a data subject request is done with Microsoft Purview eDiscovery. A stem about responding to a specific DSR points to eDiscovery, not to Priva's risk policies.

Trap Choosing Priva Privacy Risk Management to fulfil a specific data subject request end to end; Priva surfaces privacy risk, but eDiscovery is what locates and exports one individual's data.

Priva measures privacy risk in data; Compliance Manager measures your compliance posture

Priva and Compliance Manager both concern your own obligations but answer different questions. Priva finds and reduces privacy risk in the personal data you hold. Purview Compliance Manager scores how well your tenant meets regulatory requirements overall and lists improvement actions. A personal-data privacy stem points to Priva, while an overall compliance score points to Compliance Manager.

Trap Reaching for Compliance Manager to find and remediate personal data overexposure; that is Priva's job, while Compliance Manager tracks your overall compliance score, not personal-data risk.

Priva targets privacy risk in personal data, not broad data classification

Do not confuse Priva with Purview's information protection tools. Sensitivity labels, data loss prevention, and retention classify and protect data of all kinds across the tenant. Priva is narrower and privacy-specific: it surfaces privacy risk in personal data and drives remediation. A stem about labeling or blocking data broadly is information protection, while a stem about personal-data privacy risk is Priva.

Trap Reaching for sensitivity labels or DLP to run a data minimization or overexposure policy on personal data; those broad protection tools are not Priva's privacy risk policies.

Also tested in

References

  1. Get started with the Microsoft Service Trust Portal
  2. SC-900: Describe Microsoft's privacy principles
  3. Learn about Microsoft Priva
  4. Privacy and data management overview (Microsoft Service Assurance)
  5. Learn about Priva Privacy Risk Management
  6. Data Subject Requests for the GDPR and CCPA
  7. Learn about Microsoft Purview eDiscovery