Dissemination and facilitation of any information regarding a resource that is not part of the customers tenant with the Shared Responsibility Model and Entra ID Artifact Reference Guide - ToddMaxey/Technical-Documentation GitHub Wiki

Dissemination and facilitation of any information regarding a resource that is not part of the customers tenant, Shared Responsibility Model and Entra ID Artifact Reference Guide

When communicating customers regarding their request for information about an Azure resource that they do not control...

Exact text from MSRC website

From https://msrc.microsoft.com/report/abuse

Please understand that your incident may be originating from customers who run their own applications and websites on the Azure platform. As a cloud provider, Microsoft is not positioned to arbitrate disputes between parties that should be handled through other dispute resolution mechanisms, including legal action. We do require Azure customers to abide by Microsoft’s Acceptable Use Policy in ourOnline Services Terms. We will investigate complaints of malicious or illegal activity. As part of this, we may notify our customer and ask them to resolve the issue, but will not share your contact information if you selected “Anonymize Report” above. If you selected “Do Not Anonymize Report” above, we may share your contact information so our customer can work with you directly. Where our customers fail to comply with our policies, we reserve the right to take appropriate action, including suspending their service.

For more information on Microsoft Azure, please see https://www.azure.com.

Microsoft’s stated policies and procedures on the disclosure of information about another person’s or organization’s account or Azure tenant to non-affiliated individuals or organizations are governed by strict legal, contractual, and privacy standards. Here is a detailed breakdown of what is allowed and disallowed, based on Microsoft’s general policies and compliance with applicable regulations such as GDPR, HIPAA, and others:

General Guidelines

  1. No Unauthorized Disclosure

    Microsoft will not disclose any information about an individual’s or organization’s account, services, or Azure tenant to a non-affiliated third party without explicit authorization. This includes tenant details, billing information, subscription data, and service configurations.

  2. Explicit Consent Requirement

    Disclosure of information requires explicit consent from the account or tenant owner, typically through written authorization or documented permissions via Microsoft’s systems.

  3. Identity Verification

    Even with authorization, requestors must undergo strict identity verification before any information is shared.

Allowed Disclosures

  1. Publicly Available Information

    Information explicitly published by the account or tenant owner (e.g., publicly accessible Azure services or websites) can be accessed by anyone. Microsoft is not responsible for controlling access to publicly available data.

  2. Compliance with Legal Orders

    Microsoft may disclose information if required by law, such as in response to:

    • A valid subpoena or court order.

    • A request by law enforcement with appropriate legal justification.

    In such cases, Microsoft evaluates requests to ensure they meet legal and jurisdictional requirements before compliance.

  3. Security Incident Notifications

    If Microsoft detects a security incident affecting multiple tenants, it may notify potentially impacted tenants or the security community without compromising the confidentiality of specific organizations.

Disallowed Disclosures

  1. Account Details to Non-Affiliated Parties

    Microsoft will not provide account details (e.g., subscription IDs, tenant IDs, user data) to anyone not explicitly authorized by the account or tenant owner.

  2. Customer Data

    Microsoft is bound by contractual agreements and legal obligations (e.g., GDPR, CCPA) not to disclose customer data, including:

    • Personally Identifiable Information (PII).

    • Service configurations.

    • Access logs or activity details.

  3. Tenant-Specific Metadata

    Information about an organization’s tenant (e.g., Azure AD configurations, users, groups, licenses) is strictly limited to authorized representatives of that tenant.

  4. Cross-Tenant Information

    Microsoft will not share details about one tenant's resources, activities, or configurations with another tenant unless explicit authorization is granted by both parties.

  5. Incident Response Details Without Affiliation

    During an investigation or incident response, Microsoft does not share details about other tenants or accounts unless they are directly involved or impacted and proper authorization is obtained.

Additional Safeguards

  1. Confidentiality Agreements

    Microsoft employees and contractors are bound by strict confidentiality agreements to prevent unauthorized sharing of customer information.

  2. Secure Access Controls

    Requests for customer information must go through secure, logged systems, with proper documentation of the requestor's identity, authorization, and purpose.

  3. Regulatory Compliance

    Microsoft adheres to global and regional regulations (e.g., GDPR in Europe, HIPAA in the US) that restrict unauthorized access or sharing of customer data.

Request Handling

Microsoft follows a rigorous process when handling information requests:

  1. Verification of Authorization: The requestor must prove their identity and affiliation with the account or tenant.

  2. Scope Review: Microsoft evaluates whether the requested information falls within what can be legally or contractually shared.

  3. Documentation: All interactions are logged to maintain a transparent record.

References

Key documents governing these policies include:

  1. Microsoft Privacy Statement

    (https://privacy.microsoft.com/en-us/privacystatement)

  2. Data Protection Addendum (DPA)

    (https://www.microsoft.com/licensing/docs/view/Data-Protection-Addendum-DPA)

  3. Microsoft Trust Center - Security, Privacy, and Compliance

    (https://www.microsoft.com/trust-center)

  4. Azure Legal Information

    (https://azure.microsoft.com/en-us/support/legal/)

By adhering to these principles, Microsoft ensures the confidentiality, integrity, and security of customer data, while complying with legal and regulatory requirements globally.

Shared Responsibility Model and Entra ID Artifact Reference Guide

Microsoft Azure Shared Responsibility matrix

Microsoft Incident Response guides

Downloadable PDF

Forensic artifacts-in-O365 and where to find them