Cloud Security Alliance (CSA) STAR Attestation

Azure and Intune were awarded Cloud Security Alliance STAR Attestation based on an independent audit.

Microsoft in-scope cloud services

Microsoft Azure and Microsoft Intune have been awarded CSA STAR Attestation. STAR Attestation provides an auditor’s findings on the design suitability and operating effectiveness of SOC 2 controls in Microsoft cloud services.

  • Azure and Azure Government detailed list
  • Azure Germany detailed list
  • Cloud App Security
  • Graph
  • Intune
  • Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI

Audits, reports and certificates

CSA STAR Attestation Overview

The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers (CSPs) can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.):

  • Level 1: STAR Self-Assessment
  • Level 2: STAR Attestation, STAR Certification, and C-STAR Assessment (which are based on audits by third parties)
  • Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)

STAR Attestation involves a rigorous independent audit of a cloud provider’s security posture based on a SOC 2 Type 2 audit in combination with CCM criteria. The independent auditor that evaluates a cloud provider’s offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).

A SOC 2 Type 2 audit is based on American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, and processing integrity, and the criteria in the CCM. STAR Attestation provides an auditor’s findings on the design suitability and operating effectiveness of SOC 2 controls in Microsoft cloud services. The objective is to meet both the AICPA criteria mentioned above and requirements set forth in the CCM.

one person sitting at conference table in active discussion with two others
one person sitting at conference table in active discussion with two others

Manage your compliance from one place

Perform ongoing risk assessment, get actionable insights, and simplify your compliance process when using Microsoft cloud services with Compliance Manager.

Try Compliance Manager nowRead the Security, Privacy, and Compliance blog

Frequently asked questions

Expand all

The CCM corresponds to industry-accepted security standards, regulations, and control frameworks such as ISO/IEC 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.

You can download the CSA STAR Attestation for Azure, which also covers Intune, from the CSA Registry.

  • Level 1: CSA STAR Self-Assessment: Azure, Microsoft Dynamics 365, and Microsoft Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
  • Level 2: CSA STAR Certification: Azure, Cloud App Security, Intune, and Microsoft Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
  • Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.