Compliance

SharePoint SOC 2 Compliance Guide: Configuring Microsoft 365 for Financial Services

Complete guide to SOC 2 Type II compliance for SharePoint Online in financial services. Covers access controls, encryption, audit logging, change management, availability, and Microsoft Purview configuration for SOC 2 audit readiness.

Errin O'ConnorFebruary 23, 202615 min read
SharePoint SOC 2 Compliance Guide: Configuring Microsoft 365 for Financial Services - Compliance guide by SharePoint Support
SharePoint SOC 2 Compliance Guide: Configuring Microsoft 365 for Financial Services - Expert Compliance guidance from SharePoint Support

# SharePoint SOC 2 Compliance Guide: Configuring Microsoft 365 for Financial Services

SOC 2 Type II is the gold standard for technology security compliance, particularly for financial services, SaaS companies, and organizations that handle sensitive client data. If your organization uses SharePoint Online and must achieve or maintain SOC 2 compliance, this guide covers the specific SharePoint configurations required.

---

What Is SOC 2 and Why It Matters for SharePoint

SOC 2 (Service Organization Control 2) is an auditing standard developed by the AICPA. SOC 2 Type II audits evaluate how well a company's controls operate over a 6-12 month period across five Trust Service Criteria (TSC):

SharePoint migration process workflow from planning to go-live
Step-by-step SharePoint migration workflow

| Trust Service Criteria | Relevance to SharePoint |

|----------------------|------------------------|

| Security | Access controls, encryption, MFA, penetration testing |

| Availability | Uptime SLAs, disaster recovery, business continuity |

| Processing Integrity | Data accuracy, complete and timely processing |

| Confidentiality | Sensitive data protection, classification, access |

| Privacy | Personal data handling, data subject rights |

Most SOC 2 engagements cover Security (required), and at least Availability and Confidentiality for financial services.

---

Microsoft's SOC 2 Posture for SharePoint Online

Microsoft maintains SOC 2 Type II certifications for Microsoft 365 (including SharePoint Online). This means:

  • Microsoft's infrastructure and platform controls are SOC 2 audited
  • Microsoft's SOC 2 report covers the cloud provider layer
  • Your organization must implement appropriate controls in the tenant layer

Shared responsibility model: Microsoft handles infrastructure security; you handle tenant configuration, access management, and data governance.

Request Microsoft's SOC 2 report: Microsoft Trust Center → Compliance Manager → Service Trust Portal → SOC Reports.

---

Security Criteria (CC6): Access Controls

CC6.1 — Logical Access Controls

SharePoint requirements:

  • Unique user accounts for all SharePoint access (no shared accounts)
  • Role-based access control using SharePoint Groups and Azure AD Security Groups
  • Minimum necessary access (least privilege principle)
  • Documented access provisioning process

Configuration:

```

  • Azure AD: Automated user provisioning from HR system (Workday, SAP HR)
  • SharePoint: Access requests go through IT service desk (no self-service site creation)
  • Review: Quarterly access certification using Azure AD Access Reviews
  • Termination: Same-day access removal through HR-IT integration

```

CC6.2 — New Data Inputs

SharePoint requirements:

  • Documented data classification standards
  • Content owners responsible for correct classification
  • Sensitivity labels applied to SharePoint libraries containing financial data

CC6.3 — Role Access Authorization

  • All permission changes to financial data sites require documented approval
  • Change requests logged in ITSM system (ServiceNow, Jira Service Management)
  • Approvals: Site Owner + IT Security approval required for Full Control grants

CC6.6 — Threats by Outside Parties

  • External sharing disabled for financial data SharePoint sites
  • Guest access audited quarterly, expired access removed
  • Azure AD B2B used when external access is required (not anonymous links)
  • Conditional Access: Block access from high-risk countries

CC6.7 — Restriction of Unauthorized and Unintended Information Disclosures

  • Sensitivity labels with DLP to prevent financial data sharing via email or Teams
  • DLP policies trigger alerts on credit card numbers, bank account numbers, SSNs
  • Microsoft Purview Information Protection automatically labels financial records

---

Availability Criteria (A1): System Availability

A1.1 — Environmental Protections

Microsoft handles physical infrastructure. Your SOC 2 controls:

  • Document SharePoint Online's included SLA (99.9% uptime from Microsoft)
  • Configure alerts for service degradation (Microsoft 365 Service Health Dashboard)
  • Include SharePoint in your business continuity plan

A1.2 — Environmental Safeguards (Backup)

SharePoint Online includes:

  • Geo-redundant storage (your data replicated across multiple Azure regions)
  • Site collection recycle bin (90-day retention)
  • Version history on all document libraries

Additional backup controls for SOC 2:

  • Verify version history enabled on all financial data libraries
  • Document recovery procedures tested quarterly
  • Third-party backup (AvePoint, Veeam) for point-in-time recovery beyond Microsoft's defaults

---

Confidentiality Criteria (C1): Confidential Information

C1.1 — Identifying and Maintaining Confidential Information

  • Data classification policy documented and published
  • SharePoint sensitivity labels align to classification tiers:
  • Public → No label
  • Internal → "Internal" label
  • Confidential → "Confidential" label with access logging
  • Restricted → "Restricted" label with encryption + strict access

C1.2 — Disposal of Confidential Information

  • Microsoft Purview Disposition Review for financial records end-of-retention
  • No self-deletion of Restricted content without compliance officer approval
  • Documented retention schedule referenced in SharePoint retention policies

---

Audit Logging Configuration for SOC 2

SOC 2 auditors will request audit logs demonstrating your controls are operating effectively. Configure comprehensive logging:

Enable Microsoft Purview Audit (Mandatory)

  • Microsoft Purview Compliance Portal → Audit → Start recording user and admin activity
  • Extend audit log retention to at least 1 year (standard: 90 days)
  • Microsoft 365 E5 or Purview Audit (Premium): Up to 10 years
  • Minimum for SOC 2: 1 year (covers audit period + buffer)

Key Events Auditors Will Request

| Event Category | Specific Events |

|---------------|----------------|

| File access | FileAccessed, FileDownloaded, FilePreviewed |

| Permission changes | SharingInvitationCreated, PermissionLevelModified |

| Admin changes | SiteCollectionAdminAdded, SharingPolicyChanged |

| External sharing | AnonymousLinkCreated, SharingInvitationAccepted |

| DLP events | DLPRuleMatch, DLPRuleFalsePositive |

| Failed access | FailedLogin, SignInAttempted |

Audit Log Access for Auditors

Prepare for SOC 2 audit by:

  • Exporting audit logs for the audit period (typically 12 months)
  • Creating report showing: who accessed financial data sites, when, from where
  • Evidence of quarterly access reviews
  • Evidence of same-day termination access removal

---

Change Management Controls for SOC 2

SOC 2 CC8.1 requires documented change management for system changes that could affect security or availability.

SharePoint Change Management Policy

Define what changes require formal change management:

| Change Type | Change Process | Approval Required |

|------------|---------------|------------------|

| New site collection (financial data) | Change ticket + approval | IT Manager + Compliance |

| Permission level modification | Change ticket | IT Security |

| DLP policy change | Change ticket + testing | Compliance Officer |

| External sharing configuration | Change ticket | CISO |

| New third-party app/connector | Security review + approval | CISO + IT |

| Migration/major configuration | Full change management | CAB approval |

Maintain evidence: All change tickets with approvals stored in ITSM system — auditors will request these.

---

Vulnerability Management and Penetration Testing

SOC 2 CC7.1 requires vulnerability management. For SharePoint Online:

  • Microsoft handles infrastructure patching (document this in shared responsibility model)
  • Your scope: Custom code, third-party apps, SPFx extensions, Power Apps
  • Annual penetration testing of any custom SharePoint development
  • Remediate critical vulnerabilities within 30 days, high within 90 days

---

SOC 2 Evidence Collection for SharePoint

Compile these evidence packages before your SOC 2 audit:

Access Control Evidence:

  • [ ] User access provisioning/de-provisioning process documentation
  • [ ] Quarterly access review screenshots (Azure AD Access Reviews results)
  • [ ] Sample: 5 new user provisioning tickets (showing approvals)
  • [ ] Sample: 5 termination tickets (showing same-day access removal)
  • [ ] Screenshots: SharePoint permission groups and members

Audit Log Evidence:

  • [ ] 12 months of SharePoint audit logs (exported CSV or accessible query)
  • [ ] Screenshots: Audit log enabled, retention set to 1+ year
  • [ ] Evidence of monthly audit log review (signed-off by Compliance)

Change Management Evidence:

  • [ ] List of all SharePoint changes made during audit period
  • [ ] Change tickets with approval signatures
  • [ ] Evidence that changes were tested before deployment

Encryption Evidence:

  • [ ] Microsoft 365 Service Trust Portal: SOC 2 report showing encryption
  • [ ] Screenshots: Sensitivity labels configured on financial data libraries
  • [ ] DLP policy configuration screenshots

---

Continuous SOC 2 Compliance Monitoring

SOC 2 is not a point-in-time project — it is continuous. Build these recurring activities into your operations:

Monthly:

  • Review SharePoint audit logs for anomalous access
  • Review DLP policy violations and false positives
  • Verify all financial data sites have correct sensitivity labels

Quarterly:

  • Complete Azure AD Access Reviews for all financial data sites
  • Review guest access and expire inactive guests
  • Review DLP policy effectiveness (adjust rules if needed)

Annually:

  • SharePoint configuration review against SOC 2 control requirements
  • Retention policy review (ensure retention schedules are current)
  • Security awareness training for all SharePoint users handling financial data
  • Penetration test of custom SharePoint solutions

---

Need Help Achieving SOC 2 Compliance for SharePoint?

SOC 2 compliance for SharePoint requires expertise in both Microsoft 365 configuration and the AICPA Trust Service Criteria framework. Our team has guided dozens of financial services firms through SOC 2 Type II certification.

[Schedule a SOC 2 readiness assessment →](/industries/financial-services)

Or explore our [SharePoint Consulting Services](/services/sharepoint-consulting) for comprehensive compliance configuration.

Share this article:

Written by Errin O'Connor

Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem

Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.

Expert SharePoint Services

SharePoint ConsultingHealthcare SolutionsFinancial Services Solutions
View pricing →Read our FAQ →See case studies →

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Get a Free ConsultationView Pricing