Microsoft Purview · Global & Security Roles

Service Assurance User

Members can access the Service Assurance section in the Microsoft Purview portal. Service Assurance provides reports and documents that describe Microsoft's security practices for customer data stored in Microsoft 365, including SOC reports, ISO certifications, and penetration test results.

Scope: Read-only access to Microsoft's service assurance documentation and compliance reports

Permissions

  • Service Assurance View - Access Service Trust Portal documents
  • Download SOC 1/2/3 audit reports
  • Access ISO 27001, 27017, 27018 certifications
  • View FedRAMP, HIPAA, GDPR compliance documentation
  • Access penetration testing summaries
  • View Microsoft data protection practices

Common use cases

  • Customer due diligence and vendor risk assessments
  • Regulatory audit evidence gathering (SOC 2, ISO, HIPAA)
  • Responding to customer security questionnaires
  • Internal compliance program documentation
  • Privacy impact assessments referencing Microsoft's practices

Best practices

  • Assign to compliance, audit, and legal teams who handle customer due diligence
  • Refresh documents annually as Microsoft publishes new reports
  • Combine with Compliance Manager access for end-to-end compliance reporting
  • Document chain of custody when sharing reports with auditors

Security considerations

  • Service Assurance documents may be confidential under NDA
  • Reports describe Microsoft's security posture — handle per Microsoft NDA terms
  • No access to customer data — purely Microsoft compliance documentation

Common questions

When should I assign the Service Assurance User role?

Assign Service Assurance User when you need to: Customer due diligence and vendor risk assessments; Regulatory audit evidence gathering (SOC 2, ISO, HIPAA); Responding to customer security questionnaires; Internal compliance program documentation; and Privacy impact assessments referencing Microsoft's practices. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Service Assurance User role do?

The Service Assurance User role grants permissions including: Service Assurance View - Access Service Trust Portal documents; Download SOC 1/2/3 audit reports; Access ISO 27001, 27017, 27018 certifications; View FedRAMP, HIPAA, GDPR compliance documentation; Access penetration testing summaries; and View Microsoft data protection practices. See the Permissions section above for the full list.

What are the security risks of the Service Assurance User role?

Key considerations when assigning Service Assurance User: Service Assurance documents may be confidential under NDA; Reports describe Microsoft's security posture — handle per Microsoft NDA terms; and No access to customer data — purely Microsoft compliance documentation. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →