Share via


Personnel management overview

How does Microsoft screen prospective employees?

Microsoft follows rigorous personnel screening requirements for all candidates, which includes full-time, part-time employees and interns. All candidates are screened prior to beginning employment at Microsoft.

Background checks on employment candidates generally include review of the following components, to the extent permitted by law:

  • Identity check
  • Education verification
  • Employment verification
  • Criminal record review
  • Sex offender registry review
  • Global sanctions list review

What additional checks are performed for employees that manage cloud services?

In addition to pre-employment screening, Microsoft employees who maintain Microsoft online services in the United States must undergo a Microsoft Cloud Background Check as a prerequisite for access to online services systems. The requirements of background check vary to comply with applicable laws and service delivery models. Evidence of the Microsoft Cloud Background Check is stored in our employee database and must be renewed every two years at a minimum. If the Microsoft Cloud Background Check expires and the employee doesn’t renew it, access eligibilities are revoked until the Microsoft Cloud Background Check is completed. Likewise, when the employment relationship with Microsoft ends, all access is immediately revoked.

How does Microsoft ensure employees maintain sufficient skills and knowledge to perform their responsibilities and follow Microsoft policies?

All Microsoft employees are required to complete foundational security and privacy awareness training. Initial training occurs when a new employee begins working at Microsoft, and annual refresher training takes place every year thereafter. The training is designed to provide the employee with an understanding of Microsoft's fundamental approach to security and privacy. Applicable role-based training is also required prior to granting any specific access needed for an individual's job responsibilities. Microsoft employees' security training is refreshed on an annual basis, and when system or policy changes warrant new training.

In addition to security and privacy awareness training, Microsoft employees must complete Standards of Business Conduct training. This training includes business ethics, employee safety, anti-harassment, and zero tolerance for non-ethical behavior. At the end of the course, employees must attest that they’ll abide by the Microsoft code of business conduct, which is tracked at the organization level. The Standards of Business Conduct training is refreshed on an annual basis.

How does Microsoft revoke access for employees who leave Microsoft?

Microsoft uses clearly defined policies and procedures to promptly revoke physical and logical access to Microsoft systems and resources when an employee leaves Microsoft or is terminated. Microsoft's termination process ensures that former Microsoft employees can’t access data or systems after their employment ends.

When a service team member's employment is marked as terminated, this information propagates to the Microsoft account management tool, which automatically removes the terminated employee's domain account. Any access badges or other physical authenticators issued to the terminated employee are collected at the time of the exit interview or termination.

How does Microsoft ensure third-party suppliers meet the same personnel requirements as Microsoft employees?

Microsoft online services require third-party suppliers to have a signed Master Supplier Services Agreement (MSSA). This agreement requires the supplier to comply with Microsoft policies and procedures, including personnel security policies and procedures. Microsoft monitors compliance with screening requirements for third-party personnel by tracking the outcome of screening directly. Microsoft requires suppliers to conduct background screens for all people who need access to Microsoft’s facilities and/or network. For specific roles, a Supplier may be required to provide attestation as evidence that the person completed the cloud background screen requirements.

For more information specifically addressing suppliers, please read Supplier management overview

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to human resources.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001

Statement of Applicability
Certificate
A.7: Human resource security April 8, 2024
ISO 27017

Statement of Applicability
Certificate
A.7: Human resource security April 8, 2024
SOC 1 IS-4: Security training
OA-3: Account revocation
May 20, 2024
SOC 2
SOC 3
C5-2: Supplier risk assessment
ELC-6: Supplier code of conduct
IS-4: Security training
OA-3: Account revocation
SOC2-1: Disciplinary actions
SOC2-12: Background checks
SOC2-13: Employment agreements
SOC2-14: Confidentiality and non-disclosure agreements
May 20, 2024

Microsoft 365

External audits Section Latest report date
FedRAMP (Office 365) AT-2: Security awareness
AT-3: Role-based security training
AT-4: Security training records
PS-3: Personnel screening
PS-4: Personnel termination
PS-5: Personnel transfer
PS-7: Third-party personnel security
July 31, 2023
ISO 27001/27017

Statement of Applicability
Certification (27001)
Certification (27017)
A.7: Human resource security March 2024
SOC 1 CA-08: Background checks
CA-43: Account revocation
January 23, 2024
SOC 2 CA-07: Standards of Business Conduct (SBC)
CA-08: Background checks
CA-43: Account revocation
ELC-08/13/14: Employment agreements
January 23, 2024