Microsoft Entra ID compliance
★★★★★ 4.6 CE

Microsoft Entra ID Compliance & Certifications 2026

Entra ID inherits Azure's estate: FedRAMP High, SOC 1/2/3, the ISO family and more. Watch the scope, since key controls need a P1 or P2 license.

Microsoft Entra ID Compliance verdict

Verified today·4 sources checked

Microsoft Entra ID carries one of the deepest compliance estates available, because it ships inside Azure.

Azure holds a FedRAMP High Provisional ATO, the highest bar at 421 NIST 800-53 controls, listed independently on the FedRAMP Marketplace as Class D High with 88 ATOs and 597 reuses. Entra ID Free, P1, P2 and Governance are named in scope.

What it means for your security review

For a compliance buyer already in the Microsoft ecosystem, Entra ID is close to a default. The certifications you are likely to need are inherited from Azure's estate and independently verifiable on the FedRAMP Marketplace, where the High P-ATO shows heavy real-world reuse. Confirm the cloud, commercial or Azure Government, and the US-region scope that match your obligations. Then pull the actual SOC 2 and ISO certificates from the Service Trust Portal, and for federal work request the FedRAMP package with a government email. Check that the Entra edition you are buying, Free, P1 or P2, includes the controls your auditors expect, since Conditional Access, ID Protection and PIM are P1 or P2 features. Treat the long badge list as an index, not the proof.

Honest limits
  • FedRAMP authorization belongs to Azure and is independently listed by the regulator. Entra ID editions are in that scope, but coverage is for US regions and named editions, not automatically everything.
  • Many security controls, such as Conditional Access, ID Protection and PIM, require Entra ID P1 or P2. The certification scope and the licensed feature set are two different questions.
  • Commercial cloud and Azure Government are distinct authorizations. Government tiers, including DoD IL5 and screened US persons, are separate from the commercial FedRAMP High P-ATO.
FedRAMP
High (Class D), JAB P-ATO
Federal reuse
88 ATOs / 597 reuses
Entra in scope
Free, P1, P2, Governance
Core families
SOC 1/2/3, ISO 27001/17/18/701
AI + health
ISO 42001, HIPAA, PCI DSS
View sources

This page covers Entra's compliance posture and evidence. Its general capabilities and deployment mechanics live on their own pages.

Microsoft Entra ID certifications and the evidence behind them

FrameworkStatusEvidence to request
SOC 1 / SOC 2 / SOC 3AttestedReports on the Service Trust Portal, downloadable after sign-in
ISO 27001 / 27017 / 27018 / 27701CertifiedISMS, cloud-security, cloud-privacy and PIMS certificates
FedRAMP (Azure Commercial)Authorized, Class D (High)Regulator-listed: 88 ATOs / 597 reuses; Entra ID Free, P1, P2 and Governance in scope
PCI DSS / HIPAA / HITECHCompliantPayment and healthcare data handling, plus PCI-3DS
FIPS 140-2 / NIST 800-171 / NIST CSFValidatedUS federal cryptographic and control baselines
DoD IL2 / IL5 / CJISAuthorizedUS Department of Defense and criminal-justice tiers
CSA STAR / HITRUST / IRAP / C5CertifiedCloud-assurance registry plus regional regimes (AU IRAP, DE C5)
ISO 42001 (AI management)CertifiedEmerging AI-governance standard

Compliance evidence to request from Microsoft Entra ID

EvidenceTypeHow to get it
SOC 1 / 2 / 3 reportsReportService Trust Portal, after sign-in
FedRAMP authorization packagePackageFedRAMP Marketplace, .gov or .mil email
System Security Plan, ConMon reports, POA&MReportService Trust Portal, under NDA
Annual penetration-test reportReportFedRAMP-accredited 3PAO, posted to the STP
Azure Policy FedRAMP compliance initiativeControl mappingBuilt-in initiative by responsibility

What to verify before you rely on Microsoft Entra ID

  • The FedRAMP High P-ATO covers US Azure regions only; regions outside the US are not formally JAB-authorized, so confirm your deployment region.
  • A P-ATO is a foundation, not a finish line: a government agency still needs to issue its own ATO using it before you can operate.
  • The strongest evidence is gated: the FedRAMP package needs a .gov or .mil email, and the SSP, continuous-monitoring reports and POA&M are available only under NDA.
  • Confirm which Entra edition carries the control you need: the FedRAMP scope names Free, P1 and P2 separately, and Conditional Access, ID Protection and PIM require P1 or P2.

Microsoft Entra ID Compliance FAQ

Is Microsoft Entra ID FedRAMP authorized?

Yes, through Azure. Azure and Azure Government hold a FedRAMP High Provisional ATO from the Joint Authorization Board, the highest FedRAMP bar. The US-government FedRAMP Marketplace independently lists Azure Commercial Cloud as Certified at Class D, or High, with 88 authorizations and 597 reuses. It names Microsoft Entra ID Free, P1, P2, plus Governance among the certified services in scope. This covers US Azure regions. Non-US regions are not formally JAB-authorized.

Which compliance certifications does Microsoft Entra ID inherit?

A very broad estate. It includes SOC 1, SOC 2, SOC 3, the ISO 27001, 27017, 27018, 27701 family, plus ISO 42001 for AI management. It also covers PCI DSS, HIPAA, HITECH, FIPS 140-2, CSA STAR certification and attestation, HITRUST, FedRAMP High, plus DoD IL2 and IL5 for government. Dozens of regional regimes sit on top, such as IRAP in Australia, C5 in Germany, ISMAP in Japan, plus GDPR and DORA in the EU.

How do I get Entra/Azure compliance evidence?

From the Microsoft Service Trust Portal. SOC and ISO reports are downloadable after you sign in with an Azure subscription. For FedRAMP, request the package from the FedRAMP Marketplace using a .gov or .mil email. You can also get the System Security Plan and continuous-monitoring reports under NDA from a restricted Service Trust Portal section. Penetration tests are run annually by an accredited third-party assessor and posted to the portal.

Does the Entra edition affect compliance coverage?

It affects which controls you can actually use. The FedRAMP scope names Entra ID Free, P1, P2 separately, and many of the controls auditors expect, such as Conditional Access, ID Protection and Privileged Identity Management, require P1 or P2. So separate two questions. One is whether the platform is certified, which it broadly is. The other is whether your licensed edition includes the specific control your framework requires.

What should I verify before relying on Entra for compliance?

Confirm your deployment region is in scope, since FedRAMP High covers US Azure regions and not non-US ones. Choose between the commercial cloud and Azure Government early, because government tiers add screened-US-persons handling and separate authorizations. Remember that a P-ATO still needs your agency's own ATO. Then download the actual SOC 2 and ISO certificates and the FedRAMP pen-test report from the Service Trust Portal rather than trusting the badge list.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Microsoft EntraOfficial product pageJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026
Microsoft LearnRegulatory Offering HomeJuly 10, 2026
Microsoft LearnOfferings Offering FedrampJuly 10, 2026

Every fact on this Microsoft Entra ID page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.