Home > Docs > Best Practices > Security > SOC 2 Type II Readiness

🔐 SOC 2 Type II Readiness on Microsoft Fabric¶

Last Updated: 2026-04-27 | Version: 1.0.0 | Anchor for: Wave 5 Security & Compliance doc set

Disclaimer: This document provides architectural and technical guidance for SOC 2 Type II readiness on Microsoft Fabric. It is not legal or auditing advice. Engage a qualified CPA firm to perform the actual SOC 2 examination. Verify control mappings with your audit firm before relying on them in an examination.

📑 Table of Contents¶

• 🎯 Overview
• 📋 SOC 2 Fundamentals
• 🔍 Trust Services Criteria → Fabric Controls
• 🏗️ Reference Architecture
• ⚙️ Common Criteria (CC) Implementation
• 🔒 Security TSC Implementation
• ⚡ Availability TSC Implementation
• 🧩 Processing Integrity TSC Implementation
• 🤐 Confidentiality TSC Implementation
• 👤 Privacy TSC Implementation
• 📊 Evidence Collection
• 🗂️ Control Matrix Template
• 📅 Examination Period Preparation
• 🚫 Anti-Patterns
• 📋 Production Readiness Checklist
• 📚 References

🎯 Overview¶

SOC 2 Type II is the gold-standard SaaS security report. It's not a certification — it's an attestation by a CPA firm that, over a defined examination period (typically 6-12 months), the service organization's controls operated effectively per the AICPA Trust Services Criteria. Microsoft Fabric customers building SaaS or providing services to enterprise customers face SOC 2 as a routine sales requirement.

Why SOC 2 Type II Matters for Fabric Workloads¶

What This Document Covers¶

• Mapping each Trust Services Criterion to a concrete Fabric control or configuration
• Evidence-collection patterns: where audit logs live, what to extract, retention requirements
• Examination-period preparation: 12 months of trailing evidence
• Common gotchas Fabric customers hit during examination
• A control matrix template you can hand to your auditor

📝 Scope: This is the anchor doc for Phase 14 Wave 5. Sub-topics get their own deep-dive docs: ISO 27001 mapping, GDPR right to deletion, CCPA privacy rights, STRIDE threat model, zero-trust blueprint, data exfiltration prevention, supply chain security, audit trail immutability.

📋 SOC 2 Fundamentals¶

Type I vs Type II¶

Most enterprise customers reject Type I and will only accept Type II. Plan for Type II from the start.

The Five Trust Services Criteria (TSC)¶

For most Fabric-based SaaS: - Security + Availability + Confidentiality is the typical baseline - Add Processing Integrity if you do data transformations on behalf of customers - Add Privacy if you collect end-user PII (and align with GDPR / CCPA)

🔍 Trust Services Criteria → Fabric Controls¶

This is the canonical mapping auditors will ask for. Every Common Criterion (CC1-CC9) and category criterion below maps to specific Fabric configurations.

Control Mapping Table¶

⚠️ Caveat: This mapping is a starting point. Your auditor will interpret criteria slightly differently. Walk through this matrix with your auditor in the planning phase — adjust before the examination period starts.

🏗️ Reference Architecture¶

flowchart TB
    subgraph Identity["🆔 Identity & Access (CC5, CC6)"]
        Entra[Entra ID]
        WI[Workspace Identity]
        CA[Conditional Access]
        RBAC[Workspace RBAC]
    end

    subgraph Network["🌐 Network (CC5.2)"]
        PE[Private Endpoints]
        OAP[Outbound Access Protection]
        IPF[IP Firewall]
    end

    subgraph Data["📦 Data Protection (CC6.4-6.6)"]
        Labels[Sensitivity Labels]
        CMK[Customer-Managed Keys]
        OLS[OneLake Security]
        TLS[TLS 1.2+]
    end

    subgraph Logging["📊 Logging & Monitoring (CC4, CC6.7)"]
        WM[Workspace Monitoring]
        LA[Log Analytics]
        ALG[Action Groups]
        Sentinel[Microsoft Sentinel]
    end

    subgraph CICD["🔄 Change Management (CC8)"]
        Git[Git + Branch Protection]
        FCICD[fabric-cicd]
        DepPipes[Deployment Pipelines]
        CAB[CAB Approval]
    end

    subgraph DR["🛡️ Resilience (CC7, A1)"]
        Backup[OneLake Geo-Redundancy]
        Failover[Multi-Region Failover]
        DRT[DR Testing]
    end

    subgraph Audit["📜 Audit Evidence"]
        AuditLog[(Immutable Audit Logs)]
        ControlMatrix[(Control Matrix)]
        Postmortems[(Postmortems)]
    end

    Entra --> RBAC
    WI --> RBAC
    CA --> Entra
    PE --> Data
    OAP --> Data
    Labels --> Data
    CMK --> Data
    OLS --> Data
    Data --> Logging
    Identity --> Logging
    Logging --> Sentinel
    CICD --> Audit
    DR --> Audit
    Logging --> Audit

⚙️ Common Criteria (CC) Implementation¶

CC5.1 — Logical Access (Authentication & Authorization)¶

Control statement: "Logical access to data, applications, and infrastructure is restricted to authorized users."

Fabric Implementation:

Evidence to collect: - Entra ID Conditional Access policy export (monthly snapshot) - Workspace IAM membership snapshots (weekly) - Access review attestation records (quarterly) - Privileged role activation logs (continuous)

// Audit-friendly query: list all privileged access activations in last 90 days
AuditLogs
| where TimeGenerated > ago(90d)
| where ActivityDisplayName == "Add member to role completed (PIM activation)"
| project TimeGenerated, InitiatedBy, TargetResources, Result

CC5.2 — Environment Hardening¶

Control statement: "Network and computing environments are protected via firewalls, encryption, and segmentation."

Fabric Implementation:

CC6.7 — Logging & Monitoring¶

Every Fabric item emits to: - Workspace Monitoring (KQL-native, 30-day default) - Log Analytics (Azure Monitor, 90-day default with tiered archive) - Microsoft Purview (audit, lineage) - Microsoft Sentinel (security analytics, optional)

Retention requirements for SOC 2: - Authentication events: minimum 12 months - Privileged access: minimum 18 months - Data access (if Confidentiality TSC): minimum 12 months - Configuration changes: minimum 12 months - Security alerts and incident records: minimum 18 months

⚠️ Gotcha: Default Log Analytics retention is 30 days. Configure at least 12 months for SOC 2 compliance. See infra/modules/monitoring/log-analytics-workspace.bicep (Wave 1) — retentionInDays: 365 minimum.

CC8.1 — Change Management¶

Control statement: "Changes are evaluated, approved, and tracked."

Fabric Implementation:

Evidence to collect: - Quarterly: every production change with PR link, approver, deployment artifact, test evidence - Annual: rollback drill records

🔒 Security TSC Implementation¶

Already covered in CC1-CC9. The Security TSC is essentially the Common Criteria in SOC 2 vocabulary.

⚡ Availability TSC Implementation¶

A1.1 — Capacity Adequacy¶

Evidence: Monthly capacity utilization reports + scaling event logs.

A1.2 — Environmental Controls¶

Microsoft-managed via Azure data centers. Auditor will accept Microsoft's SOC 2 (subservice organization).

A1.3 — DR Testing¶

🧩 Processing Integrity TSC Implementation¶

Evidence: GE checkpoint pass rates per quarter; failed-check incident records; freshness SLO reports.

🤐 Confidentiality TSC Implementation¶

Evidence: Quarterly sensitivity-label audit; access logs filtered to Confidential-tagged tables; deletion attestation per DSAR.

👤 Privacy TSC Implementation¶

If choosing Privacy TSC, also align with GDPR and CCPA.

📊 Evidence Collection¶

The most-undercounted SOC 2 work is continuous evidence collection across the 12-month examination period.

Evidence Categories¶

Continuous Evidence Pattern¶

Every CC criterion should have an automated query that produces evidence on demand. Store these in a control library and run them as a scheduled report.

# Example: CC6.1 — Privileged access monthly report
import datetime
from pathlib import Path

def generate_cc6_1_evidence(month: str, output_dir: Path) -> Path:
    """Generate CC6.1 monthly evidence: privileged role activations."""
    kql = """
    AuditLogs
    | where TimeGenerated >= startofmonth(now())
    | where TimeGenerated <  startofmonth(now()) + 30d
    | where ActivityDisplayName has "PIM activation"
    | project TimeGenerated, InitiatedBy.user.userPrincipalName,
              TargetResources, Result
    | order by TimeGenerated asc
    """
    df = run_log_analytics_query(kql)
    out = output_dir / f"CC6.1-{month}-privileged-access.csv"
    df.to_csv(out, index=False)
    return out

Evidence Storage¶

• Immutable storage — Azure Blob with immutability policy or Storage Account WORM
• Retention — minimum 12 months past examination period (so 24 months total for the previous Type II)
• Access — auditor read-only access via short-lived SAS or Entra group

See audit trail immutability doc for tamper-evident workflows.

🗂️ Control Matrix Template¶

The deliverable to your auditor — a control matrix mapping each TSC criterion to control description, control owner, evidence location, test frequency, and exceptions.

A copy-paste template is provided in docs/compliance-templates/soc2-control-matrix.md (landing in batch 5b).

📅 Examination Period Preparation¶

12 Months Before Examination¶

• Engage CPA firm; agree on scope (which TSCs)
• Run readiness assessment (gap analysis)
• Remediate gaps
• Begin continuous evidence collection
• Train team on documentation discipline

Quarterly During Examination¶

• Quarterly evidence review (does each control have evidence?)
• Quarterly access review (privileged + standard)
• Quarterly DR drill (or annual minimum)
• Quarterly capacity review

30 Days Before Audit Field Work¶

• Compile control matrix
• Stage all evidence in auditor-accessible location
• Schedule auditor walkthroughs
• Brief leadership on likely findings

During Audit (typically 2-4 weeks)¶

• Daily auditor sync
• Respond to PBC (provided-by-client) requests within SLA
• Escalate disagreements via management response

Post-Audit¶

• Receive draft report
• Provide management response to any exceptions
• Plan remediation for next year's report
• Distribute report under NDA to customers

🚫 Anti-Patterns¶

📋 Production Readiness Checklist¶

Before declaring "SOC 2 Type II ready":

• CPA firm engaged, scope documented (TSCs selected)
• Control matrix completed and reviewed with auditor
• Every CC criterion has a named control owner
• Every control has documented evidence query/path
• Evidence stored in immutable, audit-accessible storage
• Retention configured ≥ 12 months for all SOC 2-relevant logs
• CMK enabled and rotation policy documented
• Private Endpoints + Workspace IP firewall configured
• OAP enabled where applicable
• Workspace Identity used for service-to-service auth
• Conditional Access requires MFA + device compliance
• Quarterly access review process running
• Quarterly DR drill scheduled and run at least once
• All runbooks current (reviewed in last 90 days)
• Postmortem template + register active
• Risk register maintained
• Sub-processor list and DPAs documented
• Privacy notice published (if Privacy TSC selected)
• Vendor management process documented (CC9.2)
• Penetration test scheduled (annual minimum)
• Security awareness training tracked
• Incident response runbook tested via tabletop
• Hotfix process documented with post-hoc CAB
• Change-management RFC template adopted
• All deployments traceable to approved RFC
• Control matrix walkthrough scheduled with auditor

📚 References¶

AICPA & Industry Standards¶

• AICPA SOC 2 Guide
• Trust Services Criteria
• AICPA Service Organization Control Reports

Microsoft Resources¶

• Microsoft Trust Center — SOC 2
• Microsoft Fabric Security Documentation
• OneLake Security
• Workspace Identity

Related Wave 5 Docs (this Wave)¶

• ISO 27001 Mapping
• GDPR Right to Deletion
• CCPA Privacy Rights
• STRIDE Threat Model
• Zero-Trust Blueprint
• Data Exfiltration Prevention
• Supply Chain Security
• Audit Trail Immutability

Related Operational Docs (Wave 1)¶

• Incident Response Template
• Multi-Region Failover Runbook
• Tenant Migration Runbook
• SLO/SLI for Fabric
• Change Management
• Observability Stack

Related Existing Docs¶

• Data Governance Deep Dive
• Identity & RBAC Patterns
• Network Security
• Customer-Managed Keys
• Outbound Access Protection

Compliance Templates¶

• SOC 2 Control Matrix Template (Wave 5 batch 5b)
• DSAR Runbook Template (Wave 5 batch 5b)

⬆️ Back to Top | 📚 Security Index | 🏠 Home