![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 52%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 79%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi @Shivani Sharma,
Welcome to the Q&A Community
I’m here to assist with your problem.
I will address each point you've raised:
1.Data Security & Compliance:
Microsoft Azure provides comprehensive data security features to protect sensitive information like NPA valuations, TEV studies, and LIE reports. Encryption is handled across data states: at rest (using Azure Disk Encryption for VMs and default encryption for services like Azure Storage and SQL Database), in transit (via SSL/TLS protocols, VPNs, or ExpressRoute for secure connections), and in use (through Azure confidential computing to isolate processing and prevent unauthorized access). Access control is managed via Azure Role-Based Access Control (RBAC) and Microsoft Entra ID (formerly Azure AD), which enforce fine-grained permissions and identity-based controls to ensure only authorized users can interact with data.
For regulatory compliance, Azure adheres to global standards like GDPR through built-in data protection features, such as Azure Information Protection for classifying and encrypting documents/emails with persistent policies, and Microsoft Entra ID for managing data subject requests and access controls. Specifically for India, Azure complies with Reserve Bank of India (RBI) guidelines for financial institutions, including the IT Framework for Banks and Non-Banking Financial Companies (NBFC). This includes mappings to controls for data security, outsourcing, and cyber resilience, with built-in Azure Policy initiatives to audit and enforce compliance. Azure also supports Insurance Regulatory and Development Authority of India (IRDAI) requirements, providing checklists for due diligence on cloud services to ensure data sovereignty, security, and auditability in financial workflows. Overall, Azure's compliance offerings cover over 100 standards, including financial-specific ones, with tools like Azure Key Vault for key management to maintain control over encryption keys and secrets.
Refer to: Data security and encryption best practices - Microsoft Azure | Microsoft Learn
Azure compliance documentation | Microsoft Learn
Azure Security Control - Data Protection | Microsoft Learn
2.Controlled Access:
To maintain confidentiality while granting access to valuation teams, banks, and auditors, Azure emphasizes role-based access control (RBAC) integrated with Microsoft Entra ID. RBAC allows fine-grained permissions at the subscription, resource group, or resource level, restricting actions like read, write, or delete based on roles.
These practices minimize risks by treating identity as the primary security perimeter and using features like Azure Information Protection for labeling documents as "highly confidential" to enforce access restrictions.
Refer to: Azure identity & access security best practices | Microsoft Learn
Data security and encryption best practices - Microsoft Azure | Microsoft Learn
Refer to: Azure security logging and auditing | Microsoft Learn
3.Audit Trail & Monitoring:
Azure ensures a robust audit trail through integrated logging and monitoring tools to track access, modifications, and sharing of valuation reports. Key features include:
- Activity Logs: Record control-plane events (e.g., CREATE, UPDATE, DELETE) on resources via Azure Resource Manager, allowing review of who performed actions on reports stored in Azure Storage or SharePoint. Azure Monitor activity log - Azure Monitor | Microsoft Learn
- Resource Logs: Provide detailed operations within resources, such as file modifications in Azure Files or Blob Storage, including timestamps and user IDs.Azure Files Auditing and Modification Tracking - Microsoft Q&A
- Microsoft Entra ID Logs: Track sign-ins, user/group changes, and audit activities across Power BI and SharePoint, with retention up to 30 days (or longer via export to Azure Monitor). Where are the audit logs and sign-in logs stored within Azure? - Microsoft Q&A
- Azure Monitor and Storage Analytics: Collect metrics and logs for storage accounts, enabling alerts on suspicious activities like unauthorized access attempts. Logs can be exported to Log Analytics for querying or integrated with SIEM tools for long-term retention.
- Network and Application Logs: Use NSG flow logs for traffic monitoring and Application Insights for app-level diagnostics, including security alerts from Microsoft Defender for Cloud.
To implement, configure diagnostic settings in Microsoft Entra ID or Azure resources to route logs to a Log Analytics workspace, set up alerts for modifications, and regularly review via Azure portal or Power BI dashboards. This provides a clear, tamper-evident audit log for compliance audits.
Refer to: Azure security logging and auditing | Microsoft Learn
4.Integration:
Secure integration of Excel/Power BI valuation models with Azure cloud storage is achieved through native connectors and authentication mechanisms that avoid direct data exposure:
- Azure Blob/Table storage connectors: In Power BI Desktop or Excel, connect directly to Azure Blob Storage using account keys, SAS tokens, or Microsoft Entra ID authentication. Select specific data subsets in queries to load only necessary information, keeping raw sensitive data in encrypted storage. Azure Blob Storage - Power Query | Microsoft Learn
- Azure SQL Database Integration: Store models in Azure SQL Database and connect via Power BI or Excel for real-time querying. Use row-level security in Power BI to restrict data views based on user roles, ensuring auditors see only aggregated insights. Azure and Power BI - Power BI | Microsoft Learn
- Power BI Embedded: Embed reports into custom apps or SharePoint sites using Azure services, allowing controlled visualization without granting access to underlying Excel files or storage.
- Data Factory or Logic Apps: Automate secure pipelines to ingest Excel data into Azure storage, applying transformations and encryption en route, then connect to Power BI for analytics.
- Best Practices for Security: Enable MFA and Conditional Access during connections, use Azure Key Vault for credential storage, and monitor integrations via Azure Monitor to detect anomalies. For on-premises Excel files, use gateways with encrypted channels.
Refer to: Power BI implementation planning: Integration with Other Services - Power BI | Microsoft Learn
Power BI implementation planning: Integration with Other Services - Power BI | Microsoft Learn
These methods maintain data integrity and confidentiality by leveraging Azure's encryption and access controls throughout the workflow. Migrating to Azure can enhance security if configured properly, but conduct a compliance assessment using Azure's built-in tools or consult Microsoft's checklists for RBI-aligned deployments.
We appreciate your kind patience and understanding that sometimes the initial response may not immediately resolve the issue or there may be some misunderstandings about your scenario, but we would love to hear updates from you and find out further suggestions.
Thank you for your kindness and understanding. If you need anything else, please feel free to contact me.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment"
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 28.999999999999996%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)