Skip to main content
Skip to main content
Microsoft 365

From Inside the Cloud: Who has access to your data within Office 365?

Perry Clarke is the corporate vice president in Office Server and Services. Vivek Sharma is the director of program management in Office Server and Services.

Vivek Sharma:
In our last From Inside the Cloud post, “Is your data safe at rest?,” we looked at possible physical and logical threat vectors and the various mitigations in place with our defense-in-depth approach, including penetration testing. We also summarized some of the administrator and user controls available to you as part of the Office 365 service—through Rights Management (RMS) and data loss prevention—that enable you to authorize who can view data at the file and item level shared within the service. We stopped short of sharing with you how we manage who has access to your data in the service, which is what we’d like to focus on in this post.

The idea that somehow your data may be more accessible in Office 365 as a cloud service by the people administering and running the service, and therefore more vulnerable, is a common fear. How is it that we maintain the service and do not expose your data to engineers during troubleshooting activities? In this video, “Who has access to your data?,” Perry and I give you an overview of how we protect the security and privacy of your data in our services by controlling access to it.

Perry Clarke:
As we explain in the video, ultimately if the service is working properly, nobody has access to your data. There is zero standing access to your data, unlike in on-premises environments, where an administrator may have long-standing permissions and access.
On the rare occasion that there is an incident that requires troubleshooting access to your data, administrators need to follow a stringent time-based work flow that we call “lockbox,” which through software allows only pre-assigned two-factor-authenticated administrators to request escalation. What this does is ensure that all actions related to access to your data go through a formal escalation request and approval process that is highly supervised, logged, and audited. Additionally, administrators can only request permission to take actions based on their predefined set of privileges through role-based access control (RBAC). All approved access is via a machine-generated password and all activities have a specified time window for completion.

RBAC is a very important factor in managing access to data in the Office 365 service. We’ve implemented this for Exchange and Exchange Online for over a decade and can now bring these best practices and learnings to the Office 365 service overall.
Our ultimate approach is to restrict powerful access to data by our administrators. This, by definition, means building the system in a way that allows for the machinery at the service level to read and write your data and that provides tools that enable individual administrators of the service to diagnose the health of the system and fix it without read or write actions. That means no one has meaningful access to data without escalation of privileges and we limit what the tools used to troubleshoot the service can do.

Vivek Sharma:
Beyond lockbox, the checks and measures in place to protect the security and privacy of your data in the online service are often a lot higher than what may exist in most on-premises environments.
As a global service provider, Microsoft has to meet industry standards such as ISO 27001 and SSAE 16 to protect the privacy and security of your data, determining when, if, and why your data should be accessed if at all.
We hope that today’s explanation helps clarify the topic of administrative access to your data. Let us know what you’re thinking—send us your comments and questions. In a few weeks, lead test engineer Matt Swann from our Blue team will join us for a post to share how we continuously monitor activities within our data centers, performing intrusion detection through a combination of expert teams and machine learning.
If today’s topic piques your interest, you can find more information in the Office 365 Trust Center.

—Perry Clarke and Vivek Sharma

You may also like these articles

Image for: Small business professional working on designs using devices running PowerPoint and Microsoft Teams.
• 4 min read

Power your digital transformation with insights from Microsoft Productivity Score

Editor’s Note: The Mechanics video embedded in this blog post has been updated to reflect some of the product changes announced on December 1, 2020. For some time now, business leaders have made digital transformation a priority. But when the pandemic hit this spring, adopting and embracing digital technology went from being a matter of…

Image for: A man is using his Lenovo laptop like a tablet while sitting in a comfortable chair in a Modern office setting
• 6 min read

Microsoft Productivity Score and personalized experiences—here’s what’s new to Microsoft 365 in October

As I reflect on an action-packed few weeks, I’m struck by how much work has evolved in these past months. And I know our customers feel it too. After quickly moving to remote and hybrid work models this spring, organizations are now seeking sustainable ways to help people collaborate, be productive, and prioritize their wellbeing…

Image for: Microsoft employees working remotely.
• 5 min read

Working remotely during challenging times

A Shanghai-based Microsoft employee shares lessons of working remotely during the COVID-19 outbreak.