Azure's compliance portfolio is impressive on paper. Here is what the implementation actually requires in healthcare, finance, and defence.
The Compliance Portfolio Is Not a Turnkey Compliance Solution
Azure maintains certifications and attestations across HIPAA, FedRAMP, SOC 2, ISO 27001, PCI DSS, and many others. These certifications mean that Azure's infrastructure has been assessed against those frameworks — not that your workloads on Azure are compliant. The shared responsibility model means that everything above the infrastructure layer — application security, data access controls, audit logging, encryption key management — is your responsibility. Microsoft's compliance documentation tells you what they have done; your assessment tells you what you still need to do.
Healthcare: What HIPAA Actually Requires on Azure
Signing Microsoft's Health Data Protection Addendum (the Azure BAA equivalent) is the starting point, not the finish line. You must implement: audit logging for all PHI access (Azure Monitor and Log Analytics, not just Azure AD logs), encryption at rest using customer-managed keys for PHI workloads (Azure Key Vault), network isolation for PHI processing (private endpoints, not public service endpoints), and access controls with MFA for all users who can access PHI. Microsoft's HIPAA compliance documentation walks through the technical controls; your implementation requires all of them to be specifically configured for your workload.
Finance: PCI DSS Cardholder Data Environment Scoping
Azure's PCI DSS attestation covers the infrastructure layer. Your cardholder data environment (CDE) on Azure must be scoped to the services that store, process, or transmit cardholder data — and that scope must be minimised. Use Azure Private Link for all CDE service communication to avoid public internet exposure. Ensure all CDE services are in a dedicated subscription or resource group with Azure Policy enforcing configuration standards. Network Security Groups between the CDE and the rest of your Azure environment provide the network segmentation required by PCI DSS.
Defence: FedRAMP and CMMC on Azure Government
Azure Government is the right choice for US government workloads and defence contractors handling CUI. The physical separation from commercial Azure, FedRAMP High authorisation, and DoD IL5 status address most data sovereignty and access control requirements. Azure Government's compliance documentation is more detailed and the service catalogue is smaller — verify that every service you plan to use is available in Azure Government before scoping your architecture. Microsoft GCC High is the correct M365 environment for organisations requiring FedRAMP High for collaboration and email.
- Azure's compliance certifications cover Microsoft's infrastructure — your workload configuration is still your responsibility
- HIPAA on Azure requires customer-managed encryption keys, private endpoints, PHI-specific audit logging, and MFA — not just a signed BAA
- PCI DSS CDE scoping on Azure requires dedicated subscription/resource group, Private Link for CDE communication, and NSG segmentation
- Azure Government and M365 GCC High are required for FedRAMP High workloads — verify service availability before architecture design