Organizations that use Microsoft Copilot in Microsoft 365 must verify the service meets their security and compliance requirements. The SOC 2 Type II report provides an independent auditor’s assessment of Microsoft’s controls over data security, availability, and confidentiality over a period of time. Many compliance teams need this report to satisfy internal risk management policies or external regulatory obligations. This article explains what the SOC 2 Type II report covers, how to request it through the Microsoft Service Trust Portal, and how to review the key sections relevant to Copilot.
Key Takeaways: Requesting and Reviewing the Copilot SOC 2 Report
- Microsoft Service Trust Portal > Audit Reports > SOC 2 Type II: The primary location to download the latest report for Microsoft 365 and Copilot.
- Service Organization Controls 2 Type II report: Covers controls over a minimum six-month period, not a single point in time like Type I.
- Control activities section: Review the description of controls related to data encryption, access management, and change management for Copilot services.
What the SOC 2 Type II Report Covers for Copilot
The SOC 2 Type II report is an independent audit performed by a licensed CPA firm. It evaluates the design and operating effectiveness of Microsoft’s controls over a defined period, typically 12 months. For Microsoft Copilot, the report covers the underlying Microsoft 365 services that support Copilot, including Azure Active Directory, Exchange Online, SharePoint Online, and the Microsoft 365 Compliance Center. The report does not list Copilot as a separate audited service, but the controls that apply to Microsoft 365 also apply to Copilot because Copilot runs on the same infrastructure.
The report includes the following sections:
- Independent service auditor’s report: The auditor’s opinion on whether the controls were designed and operating effectively during the audit period.
- Management’s assertion: Microsoft’s statement that the controls described in the report were in place and operating effectively.
- Description of the system: Details about the Microsoft 365 system boundaries, infrastructure, software, data, and processes.
- Control objectives and activities: A matrix of control objectives and the specific activities Microsoft performs to meet them. This section is the most relevant for reviewers.
- Complementary user entity controls: Controls that Microsoft expects customers to implement, such as multi-factor authentication and data classification policies.
The report does not cover Copilot-specific features like grounded data retrieval or prompt processing in detail. Those capabilities rely on the same underlying controls for encryption at rest and in transit, access logging, and data isolation.
How to Request the SOC 2 Type II Report for Copilot
The report is available to all Microsoft 365 customers who have signed a non-disclosure agreement with Microsoft. Follow these steps to access it through the Microsoft Service Trust Portal.
- Sign in to the Microsoft Service Trust Portal
Go to servicetrust.microsoft.com and sign in with a work or school account that has at least a Global Reader role in your Microsoft 365 tenant. If you do not have the correct role, ask your tenant administrator to grant you access. - Accept the non-disclosure agreement
If you have not previously accepted the NDA, the portal will prompt you to review and accept it. The NDA is a standard legal agreement that restricts how you can share the report content. You must accept it once per tenant. - Navigate to Audit Reports
In the left navigation menu, select Audit Reports. Then select SOC Reports from the sub-menu. - Locate the SOC 2 Type II report
Look for the report titled Microsoft 365 SOC 2 Type II Report or a similar name that includes the audit period. The report is published in PDF format. The most recent report covers the period from October 1, 2023 to September 30, 2024. Download the PDF file. - Verify the report scope
Open the PDF and check the Description of the System section. Confirm that the report covers the Microsoft 365 services your organization uses, such as Exchange Online, SharePoint Online, and Azure Active Directory. These are the services Copilot depends on.
How to Review the SOC 2 Type II Report for Copilot Compliance
Once you have the report, focus on the sections that directly affect how Copilot handles your organization’s data.
Control Objectives and Activities
This section lists each control objective and the corresponding control activities. Look for objectives related to data encryption, logical access, and change management. For example, the control objective Logical and Physical Access describes how Microsoft restricts access to Copilot data storage and processing systems. Check that the control activities include periodic access reviews, multi-factor authentication enforcement, and logging of administrative actions.
Complementary User Entity Controls
This section lists the controls your organization must implement to maintain the effectiveness of Microsoft’s controls. For Copilot, the most relevant complementary controls are:
- Enforce multi-factor authentication for all users who access Copilot
- Classify and label sensitive documents before enabling Copilot for those document libraries
- Configure data loss prevention policies to prevent Copilot from sharing restricted data
- Review Copilot audit logs regularly using the Microsoft 365 Purview compliance portal
If your organization has not implemented these controls, the SOC 2 report may not fully cover your compliance requirements.
Auditor’s Opinion and Testing Results
The independent auditor’s opinion states whether the controls were operating effectively during the audit period. Look for an unqualified opinion, which means the auditor found no material exceptions. If the opinion is qualified or adverse, review the exceptions section to understand which controls failed testing. A qualified opinion does not automatically mean Copilot is non-compliant, but it does indicate a control gap that Microsoft has addressed in a subsequent report.
Common Issues When Requesting or Reviewing the Report
Cannot Access the Service Trust Portal
If you receive an access denied error, your account does not have the required role. Ask your tenant administrator to assign the Global Reader role or the Compliance Reader role to your account. These roles grant read-only access to the Service Trust Portal without granting administrative privileges.
Report Does Not Mention Copilot by Name
The SOC 2 Type II report for Microsoft 365 does not explicitly list Copilot as a separate audited service. This is normal because Copilot is a feature that runs on top of existing Microsoft 365 services. To confirm that Copilot is covered, check the report scope section for the inclusion of services like Azure Active Directory, Exchange Online, and SharePoint Online. All Copilot data processing occurs within these services.
Report Period Does Not Match Your Audit Cycle
If your organization’s fiscal or audit period does not align with the report period, you can request a bridge letter from Microsoft. A bridge letter is a letter from Microsoft’s auditor that confirms no significant changes to controls occurred between the end of the report period and the current date. To request a bridge letter, contact your Microsoft account representative or submit a request through the Service Trust Portal under Documents > Request Documents.
SOC 2 Type II vs SOC 2 Type I: Key Differences for Copilot
| Item | SOC 2 Type II | SOC 2 Type I |
|---|---|---|
| Description | Evaluates design and operating effectiveness of controls over a period of time | Evaluates design of controls at a single point in time |
| Audit period | Minimum six months, typically 12 months | No audit period, only a snapshot date |
| Relevance for Copilot | Required by most enterprise compliance teams to prove ongoing control effectiveness | Less useful because it does not verify controls were actually in operation over time |
| Report availability | Published annually on the Service Trust Portal | Published less frequently, often as a supplement |
| Customer use case | Used for annual compliance audits and risk assessments | Used for initial vendor onboarding or quick verification |
The SOC 2 Type II report is the standard document that compliance teams request for Copilot. Type I reports alone are not sufficient for most regulatory frameworks such as HIPAA or FedRAMP. If your organization requires both, download the Type II report first and check if a Type I report is available in the same SOC Reports section of the Service Trust Portal.
You can now request and review the Microsoft Copilot SOC 2 Type II report using the Microsoft Service Trust Portal. Focus on the control objectives section to verify that encryption, access management, and change management controls are in place. Also review the complementary user entity controls to ensure your organization has configured multi-factor authentication and data classification before enabling Copilot. For a more detailed compliance review, compare the report’s scope with your organization’s specific regulatory requirements, such as GDPR or ISO 27001, and request a bridge letter if the report period does not align with your audit cycle.