Showcase Sample Chat

What are the exceptions and management responses in the report?

The SOC 2 Type II report for Azure, Dynamics 365, and Online Services identifies two key exceptions, along with the management's responses to these issues:

1. Control ID OA - 15: This control relates to the rotation of passwords used to access Azure network devices. The exception noted is that 28 out of 39 sampled network devices had not had their passwords rotated as per the defined cadence in the documented procedures. In response, management has emphasized their commitment to implementing a process for rotating passwords. This includes monitoring, detecting, and

What are the exceptions and management responses in the report?

The SOC 2 Type II report for Azure, Dynamics 365, and Online Services identifies several key exceptions, along with management's responses to these issues:

1. Control ID OA - 15: This control pertains to the rotation of passwords for Azure network devices. The exception noted was that 28 out of 39 sampled network devices had not had their passwords rotated as per the defined cadence in the documented procedures. Management's response emphasized their commitment to implementing a process for rotating passwords, monitoring, detecting, and remediating issues that cause failures in the automated workflow for password rotation. They also noted that the affected accounts could only be accessed when the central authentication system is down, and thus, deemed that there was no risk as a result of this exception【20†source】.

2. Control ID OA - 20: This control involves generating alerts when a break-glass account is used to access a production subscription. The exception noted was that for two of four production domains containing break-glass accounts, the configuration for alert generation was not in place for a portion of the period from April 1, 2022, to September 30, 2022. Management reviewed access logs for the impacted period and verified that break-glass usage was limited and monitored. They confirmed that for one of the domains, break-glass usage was limited and for the other, there were no instances of break-glass access. Management also stated that they have multiple controls in place to address the risk of unauthorized changes to production through break-glass access, and that alerting for these domains is now enabled【21†source】.

3. Control ID DS - 1: This control deals with the secure storage and periodic rotation of cryptographic certificates, keys, and customer access keys used for communication between Azure services and other internal components. The exception was that two of 26 sampled secrets were not rotated as per the defined secret rotation cadence. Management responded by either deleting the secret or rotating the password of the secret, ensuring access is restricted to authorized personnel and stored in an encrypted format. They also conducted a review over all their secrets and rotated them as needed【22†source】.

4. Control ID LA - 7: This control relates to enforcing quotas on Azure services as configured by service administrators to prevent availability-related issues. The exception noted was that quota restrictions for two of 19 sampled offerings were not configured as per the defined limits. Management responded that the quota restrictions were not functioning as expected due to a bug, which has since been resolved. They also mentioned that there were no service outages or capacity issues with the offerings caused by the bug and that monitoring mechanisms are in place to detect if resources cannot be created due to capacity constraints. As such, management deemed there was no risk as a result of this exception【23†source】.

These responses demonstrate management's commitment to addressing identified exceptions and maintaining the integrity and security of their services.

What are the listed complementary user entity controls?

The SOC 2 Type II report for Azure, Dynamics 365, and Online Services outlines a comprehensive list of complementary user entity controls that customers are responsible for implementing. These responsibilities are assumed by Microsoft to be in place but are not required to meet the criteria of the report. Customers and other interested parties should ensure they have established sufficient controls in these areas:

1. Managing compliance with applicable laws/regulations.
2. Establishing controls over the use of Microsoft Accounts and passwords.
3. Disabling/deleting account access to Azure services upon employee/contractor role changes or terminations.
4. Implementing workstation timeouts for extended periods of inactivity.
5. Reviewing access activities associated with accounts and VM applications.
6. Protecting credentials associated with deployment profiles.
7. Following security practices during development and deployment of applications on Azure Web Apps.
8. Configuring Web Apps deployments to log diagnostic information and monitor security-related events.
9. Specifying and managing strong credentials for service identities and management service accounts.
10. Supervising, managing, and controlling access to key systems hosted in the Azure environment.
11. Verifying the security of patching and maintaining third-party applications/components installed on Azure.
12. Selecting and using passwords by customer administrators.
13. Notifying MFA service of changes to technical/administrative contact information.
14. Maintaining their own systems of record.
15. Supervising, managing, and controlling the use of MFA services.
16. Developing Disaster Recovery and Business Continuity Plans addressing MFA service access issues.
17. Ensuring confidentiality of user IDs and passwords for MFA systems.
18. Assigning user IDs and passwords to authorized individuals.
19. Ensuring data submitted to the MFA service is complete, accurate, and timely.
20. Notifying MFA service of any actual or suspected information security breaches.
21. Determining, implementing, and managing encryption requirements for data within Azure.
22. Securing certificates used to access Azure SMAPI.
23. Selecting the access mechanism for data.
24. Determining configurations to be enabled on VMs.
25. Backing up data from Azure to local storage upon Azure subscription termination.
26. Protecting the secrets associated with their accounts.
27. Designing and implementing interconnectivity between Azure and on-premises resources.
28. Specifying authorization requirements for Internet-facing messaging endpoints.
29. Encrypting content using the SDK provided by Media Services.
30. Rotating DRM and content keys.
31. Following a Secure Development Lifecycle methodology for applications developed on Azure.
32. Assuring application quality before promoting to the Azure production environment.
33. Monitoring the security of applications developed on Azure.
34. Reviewing public Azure security and patch updates.
35. Applying patches for customers not signed up for auto-upgrade.
36. Reporting incidents and alerts specific to their systems and Azure to Microsoft.
37. Supporting timely incident responses with the Azure team.
38. Designing and implementing redundant systems for hot-failover capability.
39. Assigning unique IDs and secured passwords to users accessing the API Management service.
40. Securing their API using mutual certificates, VPN, or the Azure ExpressRoute service.
41. Using encrypted variable assets to store secrets while using the Automation service.
42. Reviewing access activities associated with Intune enrolled devices.
43. Implementing encryption requirements for Intune enrolled devices and on-premises resources.
44. Securing certificates used to access Intune.
45. Determining applications and policies to be deployed to Intune enrolled devices.
46. Designing and implementing interconnectivity between Intune subscription and on-premises resources.
47. Ensuring on-premises infrastructure is physically connected for Azure ExpressRoute service users.
48. Ensuring service with connectivity providers is compatible with Azure ExpressRoute.
49. Ensuring connectivity providers extend connectivity in a highly available manner.
50. Setting up redundant routing for Azure ExpressRoute service users.
51. Configuring redundant BGP sessions for Azure ExpressRoute service users.
52. Appropriately managing Network Address Translation (NAT) for Azure ExpressRoute service users.
53. Adhering to peering requirements with Microsoft Online Services for Azure ExpressRoute users.
54. Encrypting data in transit for Azure ExpressRoute service users.
55. Protecting Cloud Services and resource groups for Azure ExpressRoute service users.
56. Implementing appropriate authentication mechanisms for AAD service users.
57. Implementing logical access controls to restrict unauthorized access to key systems.
58. Backing up keys added to Azure Key Vault.
59. Physically securing StorSimple devices on premises.
60. Specifying strong cloud encryption keys for StorSimple devices.
61. Providing Internet connectivity for StorSimple devices.
62. Testing application systems in the Dynamics 365 environment.
63. Testing and approving customer-developed customizations and extensions for Dynamics 365.
64. Understanding and adhering to service contract contents.
65. Managing inputs and data uploads to Dynamics 365.
66. Notifying Microsoft of unauthorized use of Dynamics 365 accounts.

67. Authorizing transactions in the Dynamics 365 system.
68. Validating completeness and accuracy of customized reporting in Dynamics 365.
69. Hardening virtual machine images as per their requirements.
70. Responding to data subject requests for customer data or system-generated logs【31†source】.