Microsoft 365 Compliance Audit Guide for HIPAA, SOC 2, and CIS

Compliance Is Not Optional — Even for Small Businesses

If your clients handle health records, they need HIPAA compliance. If they process payments, PCI-DSS applies. If they sell to enterprise customers, those customers will ask about SOC 2. And CIS Benchmarks provide a universally respected security baseline regardless of industry.

Microsoft 365 has the tools to support all of these frameworks, but the settings are not configured by default. As an MSP, running compliance audits against these frameworks is both a risk management necessity and a revenue opportunity.

Understanding Microsoft 365 Compliance Manager

Compliance Manager is built into the Microsoft 365 compliance center and provides a compliance score based on how well your tenant’s configuration aligns with specific regulatory frameworks.

Key features:

• Pre-built assessment templates for HIPAA, SOC 2, NIST 800-53, CIS Benchmarks, GDPR, and more
• Improvement actions with specific configuration steps
• Score tracking over time to demonstrate compliance progress
• Evidence collection for audit documentation

How to use it effectively:

• Start by adding the relevant assessment templates for your client’s industry
• Review the improvement actions sorted by score impact (highest first)
• Focus on “Microsoft-managed” vs “customer-managed” actions — you are responsible for the customer-managed ones
• Export evidence and reports for auditor review

HIPAA Compliance in Microsoft 365

Healthcare organizations and their business associates must comply with HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule. Here are the critical M365 settings:

Access controls (HIPAA 164.312(a)):

• MFA enforced for all users accessing ePHI
• Conditional Access policies restricting access by device compliance and location
• Role-based access to SharePoint sites containing health records
• Regular access reviews for users with access to ePHI

Audit controls (HIPAA 164.312(b)):

• Unified audit logging enabled (verify this — it should be on by default)
• Extended audit log retention (minimum 6 years for HIPAA, requires E5 or add-on licensing for beyond 90 days)
• Alert policies for unauthorized access attempts to ePHI repositories
• Regular audit log reviews (quarterly at minimum)

Transmission security (HIPAA 164.312(e)):

• TLS enforcement for email in transit
• Message encryption for emails containing PHI sent externally
• Sensitivity labels applied to PHI documents with encryption
• DLP policies preventing PHI from being shared via unapproved channels

Data retention and disposal:

• Retention policies for email and documents containing ePHI
• Litigation hold capability for legal preservation
• Documented data disposal procedures

SOC 2 Compliance in Microsoft 365

SOC 2 audits evaluate controls across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

Security (Common Criteria):

• MFA and Conditional Access enforcement
• Privileged access management (PIM)
• Network security (Conditional Access location policies)
• Change management (audit logs for admin actions)
• Vulnerability management (Microsoft Secure Score tracking)

Confidentiality:

• Data classification with sensitivity labels
• DLP policies preventing unauthorized disclosure
• Encryption at rest and in transit (enabled by default in M365, but verify)
• Access controls restricting data to authorized personnel

Availability:

• Microsoft’s SLA and service health monitoring
• Backup and recovery procedures (native M365 retention plus third-party backup if required)
• Incident response procedures documented and tested

CIS Microsoft 365 Foundations Benchmark

The CIS Benchmark for M365 is the most prescriptive and actionable framework. It provides specific configuration recommendations with pass/fail criteria.

High-priority CIS recommendations:

• Ensure MFA is enabled for all users (CIS 1.1.1)
• Ensure legacy authentication is blocked (CIS 1.1.6)
• Ensure the admin consent workflow is enabled (CIS 1.3)
• Ensure DLP policies are enabled (CIS 2.1)
• Ensure external sharing is managed appropriately (CIS 3.1)
• Ensure audit logging is enabled (CIS 5.1)
• Ensure mail forwarding rules are reviewed (CIS 4.1)
• Ensure Safe Attachments and Safe Links are enabled (CIS 4.5, 4.6)

Using the CIS Benchmark effectively:

• Download the latest benchmark from cisecurity.org
• Map each recommendation to your client’s M365 configuration
• Document pass/fail status with evidence
• Prioritize failed items by risk level
• Track remediation progress over time

Building a Compliance Audit Workflow

For MSPs managing multiple clients, compliance audits need to be systematic and repeatable.

Quarterly compliance audit process:

1. Run automated security assessment to capture current configuration state
2. Map findings against applicable compliance frameworks
3. Document compliance gaps with specific remediation steps
4. Present findings to the client with prioritized action items
5. Remediate high-priority gaps
6. Re-assess to verify remediation
7. Archive the assessment report as compliance evidence

Automate Compliance Assessments

Manually checking every CIS Benchmark recommendation or HIPAA requirement across multiple tenants is not sustainable. 365 Security Assessment maps its findings against major compliance frameworks, giving you an instant view of where each client stands.

The platform checks over 11,000 data points and maps them against CIS Benchmarks, MITRE ATT&CK, and common compliance requirements — producing audit-ready reports that document your client’s compliance posture.

Start your free compliance assessment and deliver your first compliance report today.