Human resources overview

How does Microsoft screen prospective employees?

Microsoft follows rigorous personnel screening requirements for all employees, interns, and contingent staff. All candidates are pre-screened prior to beginning employment at Microsoft.

Background checks on employment candidates generally include review of the following components, to the extent permitted by law:

  • Identity check
  • Education verification
  • Employment verification
  • Criminal record review
  • Sex offender registry review
  • Global sanctions list review

What additional checks are performed for employees that manage cloud services?

In addition to pre-employment screening, Microsoft employees who maintain Microsoft online services in the United States must undergo a Microsoft Cloud Background Check as a prerequisite for access to online services systems. The requirements of background check vary to comply with applicable laws and service delivery models. The results from the Microsoft Cloud Background Check are stored in our employee database and must be renewed every two years at a minimum. If the Microsoft Cloud Background Check expires and the employee does not renew it, access to online services is revoked and no longer available until the Microsoft Cloud Background Check is completed. Likewise, when the employment relationship with Microsoft ends, all access is immediately revoked.

How does Microsoft ensure employees maintain sufficient skills and knowledge to perform their responsibilities and follow Microsoft policies?

All Microsoft employees are required to complete basic security awareness training. Initial training occurs when a new employee begins working at Microsoft, and annual refresher training takes place every year thereafter. The training is designed to provide the employee with an understanding of Microsoft's fundamental approach to security. Applicable role-based security training is also required prior to granting any specific access needed for an individual's job responsibilities. Microsoft employees' security training is refreshed on an annual basis, and when system or policy changes warrant new training.

In addition to security awareness training, Microsoft employees must complete Standards of Business Conduct training. This training includes business ethics, employee safety, privacy, anti-harassment, and zero tolerance for non-ethical behavior. At the end of the course, employees must attest that they will abide by the Microsoft code of business conduct, which is tracked at the organization level. The Standards of Business Conduct training is refreshed on an annual basis.

How does Microsoft revoke access for employees who leave Microsoft?

Microsoft uses clearly defined policies and procedures to promptly revoke physical and logical access to Microsoft systems and resources when an employee leaves Microsoft or is terminated. Microsoft's termination process ensures that former Microsoft employees cannot access data or systems after their employment ends.

When a service team user's employment is marked as terminated, this information propagates to the Microsoft account management tool, which automatically removes the terminated employee's domain account. Any access badges or other physical authenticators issued to the terminated employee are collected at the time of the exit interview or termination.

How does Microsoft ensure third-party suppliers meet the same personnel requirements as Microsoft employees?

Microsoft online services require third-party suppliers to have a signed Master Supplier Services Agreement (MSSA). This agreement requires the supplier to comply with Microsoft policies and procedures, including personnel security policies and procedures. Microsoft monitors compliance with screening requirements for third-party personnel by tracking the outcome of screening directly. Microsoft requires suppliers to submit screening outcomes for third-party personnel directly to Microsoft.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to human resources.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certification
A.7: Human resource security December 2, 2020
ISO 27017

Statement of Applicability
Certification
A.7: Human resource security December 2, 2020
SOC 1 IS-4: Security training
OA-3: Account revocation
March 31, 2021
SOC 2
SOC 3
C5-2: Supplier risk assessment
ELC-6: Supplier code of conduct
IS-4: Security training
OA-3: Account revocation
SOC2-1: Disciplinary actions
SOC2-12: Background checks
SOC2-13: Employment agreements
SOC2-14: Confidentiality and non-disclosure agreements
March 31, 2021

Office 365

External audits Section Latest report date
FedRAMP AT-2: Security awareness
AT-3: Role-based security training
AT-4: Security training records
PS-3: Personnel screening
PS-4: Personnel termination
PS-5: Personnel transfer
PS-7: Third-party personnel security
September 24, 2020
ISO 27001/27002/27017

Statement of Applicability
A.7: Human resource security April 20, 2021
SOC 1 CA-08: Background checks
CA-43: Account revocation
December 24, 2020
SOC 2 CA-07: Standards of Business Conduct (SBC)
CA-08: Background checks
CA-43: Account revocation
ELC-08/13/14: Employment agreements
December 24, 2020