Service Trust Portal and Privacy
Two directions of trust
Ask one question of everything in this domain and it sorts itself: is this about whether you can trust Microsoft, or about the duties you owe your own users? That single question splits the page cleanly in two.
Microsoft's obligations to you
When you move data into a cloud you do not run, you need proof the provider handles it well. Microsoft publishes that proof in two forms. The Service Trust Portal[1] is where independent auditors' reports and compliance documents live, and the privacy principles[2] are the contractual commitments Microsoft makes about how it treats your data. Both flow one way, from Microsoft to you. You read them; you do not configure them.
Your obligations to your users
The moment you hold other people's personal data, privacy law makes you responsible for it. Microsoft Priva[3] is the product you operate to meet that responsibility, finding personal data in your Microsoft 365 environment and reducing the privacy risks around it. A related surface, Purview Compliance Manager, measures how well your tenant meets its regulatory obligations overall, and has its own subtopic (Purview compliance management).
The trap the exam sets is direction. The Service Trust Portal and Compliance Manager both deal with compliance, but one shows you Microsoft's evidence and the other measures your posture. Priva and the privacy principles both concern privacy, but one is a tool you run and the other is a promise Microsoft makes. Read every stem for who owns the obligation before you pick a service.
The Service Trust Portal
The Service Trust Portal (STP) is Microsoft's public site for publishing audit reports and other compliance information about its cloud services Get started with the Service Trust Portal[1]. Think of it as Microsoft's evidence locker: external auditors examine Microsoft 365, Azure, and Dynamics 365, and their findings are posted here for you to download.
What you find there
STP groups its content into a few areas:
- Certifications, regulations, and standards. The independent audit artifacts: ISO/IEC (including ISO/IEC 27001 and the cloud-privacy code ISO/IEC 27018), SOC 1, SOC 2, and SOC 3 reports, FedRAMP, PCI DSS, CSA STAR, and national schemes.
- Reports, whitepapers, and artifacts. Penetration-test attestations, business-continuity and disaster-recovery documents, privacy and data protection material, and FAQs.
- Industry and regional resources. Guidance scoped to sectors such as financial services, healthcare, and government, and to specific regions.
- Resources for your organization. Documents restricted to your tenant, based on your subscription and role.
A My Library feature lets you save documents and be notified when a newer version is published, so you can track the reports that matter to you Get started with the Service Trust Portal[1].
Access, and the portal it is not
Anyone can browse, but downloading many documents requires signing in with a Microsoft Entra organization account and accepting a non-disclosure agreement, and some restricted documents need a role such as Compliance Administrator or Security Reader Get started with the Service Trust Portal[1].
Here is the distinction the exam leans on hardest. The Service Trust Portal is where you read Microsoft's compliance evidence. The Microsoft Purview portal is where you do compliance work on your own tenant: run Compliance Manager, configure policies, review your score. Same word, compliance, opposite roles. If a stem asks where to obtain Microsoft's SOC or ISO report, the answer is the Service Trust Portal, never Compliance Manager or the Purview portal.
Microsoft's four privacy principles
Microsoft's privacy principles are the commitments it makes about how it handles the data you place in its commercial cloud. The current documentation groups that commitment into four areas SC-900: Microsoft's privacy principles[2]:
- You control your data. Your data belongs to you. You can access, modify, or delete it, and Microsoft will not use it without your agreement. Microsoft does not use your data for advertising or mine it for marketing research, and any subprocessor it engages is bound by the same commitments.
- You know where your data is located. Microsoft offers data residency options and is transparent about where your data is stored and processed, so you can meet geographic requirements.
- Your data is secured at rest and in transit. Microsoft applies strong encryption, up to AES-256 for data at rest and industry-standard protocols such as TLS and IPsec in transit, with keys you can control through services like Azure Key Vault.
- Microsoft defends your data. Microsoft directs government requests for your data to you, gives no government direct or unfettered access, and challenges demands in court where it can lawfully do so Privacy and data management overview[4].
These are contractual promises, grounded in the Product Terms and the Data Protection Addendum and validated by third-party audits such as ISO/IEC 27018 and ISO/IEC 27701, not a product you turn on Privacy and data management overview[4]. Hold that difference: the principles describe what Microsoft will do, while the next section covers Priva, the product you run on your own data.
Microsoft Priva
Everything so far pointed from Microsoft to you. Microsoft Priva points the other way: it is the product you operate on your own tenant to manage the personal data you hold Learn about Microsoft Priva[3]. Privacy regulations such as the GDPR give individuals rights over their personal data and make your organization accountable for it, so you first need to know what personal data you have and where the risks are.
Priva Privacy Risk Management
Priva's Privacy Risk Management solution gives you visibility into the personal data across your Microsoft 365 services, Exchange Online, SharePoint, OneDrive for Business, and Teams, identifying it with the same data classifications and sensitive information types that underpin Microsoft Purview Learn about Microsoft Priva[3]. It then flags privacy risks through built-in policy templates Priva Privacy Risk Management[5]:
- Data minimization, to find and reduce personal data your organization keeps but no longer needs.
- Data overexposure, to catch personal data that is accessible to too many people.
- Data transfers, to spot personal data moving across departments or regional borders.
When a policy matches, Priva raises an alert and offers remediation such as making an item private, notifying its owner, or tagging it for review Priva Privacy Risk Management[5]. Priva evaluates only data inside your Microsoft 365 environment and sources you register through Purview; it does not reach a user's personal account. Do not confuse it with Purview's information protection tools, sensitivity labels, data loss prevention, and retention (information protection and governance), which classify and protect data broadly. Priva is specifically about privacy risk in personal data.
From finding data to answering a request
Knowing where personal data lives is what lets you answer a data subject request (DSR, also called a subject rights request), an individual's demand to see, correct, export, or delete the personal data you hold on them under laws like the GDPR Data Subject Requests[6]. The lifecycle is the same everywhere: someone submits a request, you locate their personal data in Microsoft 365, review and collate the matches, decide what to include and redact the rest, then respond by producing, correcting, or deleting it. Locating and producing that data across Microsoft 365 is handled with Microsoft Purview eDiscovery Microsoft Purview eDiscovery[7], covered in the insider risk, eDiscovery, and audit subtopic. Keep the division of labor the exam tests: Priva finds personal data and reduces its risk across your tenant, while Purview eDiscovery locates and produces one individual's data to satisfy a request.
Exam-pattern recognition
These topics appear as short which-surface and privacy-versus-security questions. Anchor on direction and on who owns the data.
Where is Microsoft's audit report? The Service Trust Portal. If a stem asks for Microsoft's SOC 2, ISO/IEC certificate, or FedRAMP documentation, it is STP, not Compliance Manager and not the Purview portal.
Where do I measure my own compliance? Microsoft Purview Compliance Manager, which scores your tenant and lists improvement actions (its own Purview compliance management subtopic). STP shows Microsoft's evidence; Compliance Manager measures yours.
Which product finds personal data and privacy risk in my Microsoft 365? Microsoft Priva, through Privacy Risk Management. Purview information protection labels and protects data broadly; Priva is about privacy risk in personal data specifically.
Privacy or security? Privacy is the appropriate handling of personal data and the rights people have over it; security is protecting data from unauthorized access. A stem about consent, data subject rights, or personal-data handling is privacy; a stem about blocking attackers is security. The security and compliance concepts subtopic defines the split.
Name the four privacy principles. You control your data; you know where it is located; it is secured at rest and in transit; Microsoft defends it. If an option offers a fifth principle that is really a product feature, it is a distractor.
Where a compliance question goes: three surfaces
| Question you are answering | Service Trust Portal | Purview Compliance Manager | Microsoft Priva |
|---|---|---|---|
| Whose data or obligation | Microsoft's, shown to you | Your tenant's compliance posture | Your users' personal data you hold |
| Direction of trust | Microsoft's obligations to you | Your obligations, measured | Your obligations to your users |
| What you do there | Read and download audit evidence | Score and improve compliance | Find and remediate privacy risk |
| Example artifact | SOC 2 report, ISO certificate | Improvement actions, compliance score | Data overexposure policy, alerts |
| Read or act | Read only | Act on your tenant | Act on your data |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- The Service Trust Portal is Microsoft's audit evidence library, not your workspace
The Service Trust Portal (STP) is where Microsoft publishes the independent audit reports and compliance documentation for its cloud services, so you can download SOC 1, SOC 2, and SOC 3 reports, ISO/IEC certifications, FedRAMP and PCI DSS attestations, and Microsoft whitepapers. You go there to read evidence about Microsoft, not to configure anything on your tenant. If a question asks where to obtain Microsoft's SOC or ISO report, the answer is STP.
Trap Reaching for Microsoft Purview Compliance Manager to download Microsoft's SOC or ISO report; Compliance Manager measures your own tenant, it does not hand you Microsoft's audit artifacts.
7 questions test this
- Which type of content can you download from the Service Trust Portal?
- The Service Trust Portal provides independent audit reports that are organized by the standard under which they were issued. Which of the…
- Which statement best describes the purpose of the Microsoft Service Trust Portal?
- How does the content available on the Service Trust Portal help an organization?
- What types of documents can users download from the Microsoft Service Trust Portal?
- Your compliance team needs to download SOC and ISO/IEC audit reports produced by independent external auditors for Microsoft's cloud…
- An auditor at your organization wants to obtain independent third-party attestation reports for Microsoft cloud services. Which types of…
- Read Microsoft's evidence in STP; do your own compliance in the Purview portal
The Service Trust Portal and the Microsoft Purview portal both say compliance but sit on opposite sides. STP is read-only evidence about Microsoft's cloud. The Microsoft Purview portal is where you act on your own tenant: run Compliance Manager, configure policies, and review your compliance score. Match the verb in the stem: obtain or download Microsoft's report points to STP, while assess, configure, or improve your posture points to the Purview portal.
Trap Assuming you configure your organization's compliance in the Service Trust Portal; STP is read-only Microsoft evidence, and tenant compliance work happens in the Microsoft Purview portal.
- STP sorts its content into certifications, reports, industry, and org resources
STP organizes documents into a few areas: certifications, regulations, and standards (the ISO/IEC, SOC, FedRAMP, PCI DSS, and CSA STAR artifacts), reports and whitepapers (penetration-test attestations, privacy and data protection material, business continuity and disaster recovery), industry and regional resources, and resources scoped to your own organization. Knowing the buckets helps you locate the right evidence quickly.
4 questions test this
- Which of the following is a category of documentation available on the Service Trust Portal?
- Which types of content are available in the Certifications, Regulations, and Standards section of the Microsoft Service Trust Portal?
- Which type of content can you obtain from the Microsoft Service Trust Portal?
- Besides third-party audit reports, what additional type of resource can be found on the Service Trust Portal?
- Downloading many STP documents needs an Entra account, and some need a role
Anyone can browse the Service Trust Portal, but downloading many documents requires signing in with a Microsoft Entra organization account and accepting a non-disclosure agreement for compliance materials. Restricted documents need a specific role such as Compliance Administrator or Security Reader. STP is public-facing but gated for its most sensitive audit content.
4 questions test this
- What is required to access restricted documents, such as audit reports, on the Microsoft Service Trust Portal?
- Your security team wants to access restricted audit reports on the Service Trust Portal. What is required before they can download these…
- What type of account is required to sign in and access resources on the Service Trust Portal?
- What must users review and accept to access certain compliance materials on the Service Trust Portal?
- Know Microsoft's four privacy principles by name
Microsoft frames its privacy commitment to commercial customers as four areas: you control your data, you know where your data is located, your data is secured at rest and in transit, and Microsoft defends your data. These are contractual commitments backed by the Product Terms and the Data Protection Addendum, not a product you configure.
Trap Picking an option that lists a fifth principle which is actually a product feature or a security control; the privacy principles are these four commitments, not a Priva feature or a portal setting.
- You control your data means Microsoft will not mine it for advertising
Under the control-your-data principle, your data belongs to you: you can access, modify, or delete it, and Microsoft uses it only to provide the services you chose. Microsoft does not use your data for advertising or mine it for marketing research, and any subprocessor it engages is bound by the same commitments. This is the principle often paraphrased as no content-based advertising.
- Microsoft defends your data by directing government requests to you
Under the defend-your-data principle, Microsoft directs government and law-enforcement requests for your data to you rather than answering them itself, gives no government direct or unfettered access, and challenges demands in court where it can lawfully do so. It is a commitment about how Microsoft responds to third-party and government access attempts.
- Microsoft Priva is a product you run on your own data, unlike STP and the principles
STP and the privacy principles describe Microsoft's obligations to you; Microsoft Priva flips the direction. Priva is the product your organization operates to manage the personal data it holds, meeting your privacy obligations to your own users. When a stem is about finding or reducing risk in personal data you store, the answer is Priva, not a Microsoft-published document.
Trap Treating Priva as something Microsoft runs to protect its own cloud; Priva acts on your tenant's personal data and is your responsibility to operate.
- Priva Privacy Risk Management flags overexposure, transfers, and hoarding
Priva's Privacy Risk Management solution gives visibility into personal data across your Microsoft 365 services and flags privacy risk using built-in policy templates: data minimization (personal data kept but no longer needed), data overexposure (personal data open to too many people), and data transfers (personal data crossing departments or borders). On a match it raises an alert and offers remediation such as making an item private, notifying the owner, or tagging it for review.
12 questions test this
- Which set of default policy templates is provided by Microsoft Priva Privacy Risk Management?
- Which Microsoft Priva Privacy Risk Management policy template can detect personal data that is stored for longer than your organization…
- You want to be alerted when personal data is moved between users in different regions or across departmental boundaries. Which Microsoft…
- Your organization wants to detect situations where personal data is being kept longer than necessary so that it can reduce unnecessary…
- Which capability is provided by the Privacy Risk Management solution in Microsoft Priva?
- What is a key benefit of using Microsoft Priva Privacy Risk Management?
- What is the primary function of the Privacy Risk Management solution in Microsoft Priva?
- In Microsoft Priva Privacy Risk Management, what action can a policy take to help employees remediate privacy issues with the data they…
- Which policy type in Priva Privacy Risk Management helps detect situations where personal data stored by your organization is too broadly…
- In Microsoft Priva Privacy Risk Management, what is the purpose of the data transfers policy template?
- Which statement best describes Microsoft Priva Privacy Risk Management policies?
- Which task can you accomplish by using Microsoft Priva?
- Priva only evaluates personal data inside your Microsoft 365 environment
Priva scans personal data in your organization's Microsoft 365 services (Exchange Online, SharePoint, OneDrive for Business, and Teams) plus sources you register through Microsoft Purview, using Purview's data classifications and sensitive information types to identify it. It does not reach a user's personal Microsoft account or arbitrary systems outside your tenant.
Trap Assuming Priva can scan a user's personal Microsoft account or data outside Microsoft 365; Priva is limited to your organization's Microsoft 365 environment and Purview-registered sources.
3 questions test this
- A data subject request is a person's demand to see or delete their personal data
A data subject request (DSR), also called a subject rights request, is an individual's request to access, correct, export, or delete the personal data an organization holds on them, a right granted by privacy laws such as the GDPR. Handling one obliges the organization to first find that person's personal data, then decide what to produce, redact, correct, or erase.
- Priva finds privacy risk; Purview eDiscovery produces one person's data for a DSR
Keep the division of labor: Priva finds and reduces privacy risk across your tenant's personal data, while locating and producing one individual's data to satisfy a data subject request is done with Microsoft Purview eDiscovery. A stem about responding to a specific DSR points to eDiscovery, not to Priva's risk policies.
Trap Choosing Priva Privacy Risk Management to fulfil a specific data subject request end to end; Priva surfaces privacy risk, but eDiscovery is what locates and exports one individual's data.
- Priva measures privacy risk in data; Compliance Manager measures your compliance posture
Priva and Compliance Manager both concern your own obligations but answer different questions. Priva finds and reduces privacy risk in the personal data you hold. Purview Compliance Manager scores how well your tenant meets regulatory requirements overall and lists improvement actions. A personal-data privacy stem points to Priva, while an overall compliance score points to Compliance Manager.
Trap Reaching for Compliance Manager to find and remediate personal data overexposure; that is Priva's job, while Compliance Manager tracks your overall compliance score, not personal-data risk.
- Priva targets privacy risk in personal data, not broad data classification
Do not confuse Priva with Purview's information protection tools. Sensitivity labels, data loss prevention, and retention classify and protect data of all kinds across the tenant. Priva is narrower and privacy-specific: it surfaces privacy risk in personal data and drives remediation. A stem about labeling or blocking data broadly is information protection, while a stem about personal-data privacy risk is Priva.
Trap Reaching for sensitivity labels or DLP to run a data minimization or overexposure policy on personal data; those broad protection tools are not Priva's privacy risk policies.
Also tested in
References
- Get started with the Microsoft Service Trust Portal
- SC-900: Describe Microsoft's privacy principles
- Learn about Microsoft Priva
- Privacy and data management overview (Microsoft Service Assurance)
- Learn about Priva Privacy Risk Management
- Data Subject Requests for the GDPR and CCPA
- Learn about Microsoft Purview eDiscovery