Microsoft Office 365 security

Protect your competitive advantage—keep your data safer with enterprise-grade security

Office 365 is a cloud-based service designed to help meet your organization’s needs for robust security, reliability, and user productivity, help save time and money, and free up valuable resources. Office 365 integrates the familiar Microsoft Office desktop suite with cloud-based versions of Microsoft next-generation communications and collaboration services—harnessing the Internet to help users be more productive from virtually anywhere.

When you move your organization to cloud services, you must be able to trust your service provider with your most important, sensitive, and confidential data. Because security is paramount for business success, Microsoft has robust policies, controls, and systems built into Office 365 to help keep your information safe. Office 365 is designed on the principles of the Security Development Lifecycle, a mandatory Microsoft process that embeds security requirements into every phase of development.

Your Office 365 data belongs to you; that means you have complete control of it. We give you extensive privacy controls and visibility into where your data resides and who has access to it, as well as availability and changes to the service. If you end your subscription to the service, you can take your data with you. Microsoft-managed service-level security technologies and policies are enabled by default, and customer-managed controls enable you to customize your Office 365 environment to fit your organization’s security needs. Office 365 is continuously updated to enhance security.

Office 365 security topics

Secure identity

Office 365 uses Azure Active Directory (Azure AD) to manage users and to provide authentication, identity management, and access control. Azure AD capabilities include a cloud-based store for directory data and a core set of identity services, such as user logon processes, authentication services, and federation services. These identity services easily integrate with your on-premises Azure AD deployments and fully support third-party identity providers. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

Office 365 uses Multi-Factor Authentication, managed from the Office 365 admin center, to help provide extra security. Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities as a part of the subscription:

  • Ability to enable and enforce Multi-Factor Authentication for end users
  • Use of a mobile app (online and one-time password) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of a Short Message Service (SMS) message as a second authentication factor
  • Application passwords for non-browser clients (for example, the Skype for Business client software)
  • Default Microsoft greetings during authentication phone calls

Secure apps and data

Data encryption

Office 365 uses service-side technologies that encrypt customer data at rest and in transit. For customer data at rest, Office 365 uses volume-level and file-level encryption. For customer data in transit, Office 365 uses multiple encryption technologies for communications between datacenters and between clients and servers, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Office 365 also includes customer-managed encryption features. Customer data stored within Office 365 is protected in all configurations. Validation of Microsoft cryptographic policy and its enforcement is independently verified through multiple third-party auditors.

Maintaining security in multitenant architecture

Multitenancy is a primary benefit of cloud computing. This is the ability to share common infrastructure across numerous customers simultaneously, leading to economies of scale. Microsoft continuously works to ensure that the multitenant architecture of Office 365 supports enterprise-level security, confidentiality, privacy, integrity, and availability standards. Based upon the significant experience gathered from the (now retired) Trustworthy Computing program and the Security Development Lifecycle, Microsoft cloud services, including Office 365, were designed with the assumption that all tenants are potentially hostile to all other tenants. Thus, multiple forms of protection have been implemented throughout Office 365 to prevent customers from compromising Office 365 services or applications, or gaining unauthorized access to the information of other tenants or the Office 365 system itself.

How Microsoft accesses your data

Microsoft automates most Office 365 operations, while intentionally limiting its own access to customer content. This enables us to manage Office 365 at scale, and address the risks of internal threats to customer content such as a malicious actor or the spear-phishing of a Microsoft engineer. By default, Microsoft engineers have no standing administrative privileges and no standing access to customer content in Office 365. A Microsoft engineer may have limited, audited, secured access to a customer’s content for a limited amount of time, but only when necessary for service operations and only when approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, by the customer).

How you access your data

In addition to the controls implemented by Microsoft, Office 365 allows you to manage your own data in much the same way you manage data in on-premises environments. The global admin has access to all features in the admin centers, and can create or edit users, perform administrative tasks, and assign admin roles to others. You can also control how users access information from specific devices or specific locations, or a combination of both.

Secure infrastructure

Office 365 uses defense-in-depth security principles to protect against internal and external risks. The scale and global nature of the Microsoft footprint allows us to use strategies and techniques for defending against network attacks that few providers or customer organizations can match. The cornerstone of our strategy is using our global presence to engage with Internet providers, public and private peering providers, and private corporations all over the world, giving us a significant Internet presence. This enables Microsoft to detect and defend against attacks across a very large surface area.

Threat management

Threat management strategy for Office 365 involves identifying a potential threat’s intent, capability, and probability of successful exploitation of a vulnerability. The controls used to safeguard against such exploitations are founded upon industry security standards and best practices. Office 365 provides robust email protection against spam, viruses, and malware with Exchange Online Protection. Office 365 also offers Advanced Threat Protection (ATP), an email filtering service that provides additional protection against specific types of advanced threats.


Office 365 users today are on the move and need access wherever they are, using a variety of devices. You can use Microsoft Intune mobile-device management to manage and protect devices across Windows, Apple iOS, and Android platforms. You can identify, monitor, and protect sensitive information with data-loss prevention controls in mobile application management.

Incident response

The Office 365 process for managing a security incident conforms to the approach prescribed by the National Institute of Standards and Technology (NIST) in NIST 800-61. The Microsoft security incident response includes several dedicated teams that work together to prevent, monitor, detect, and respond to security incidents. Office 365 security teams take the same approach to security incidents, which includes the NIST 800-61 response management phases:

  • Preparation—the organizational preparation needed to respond to an incident, including tools, processes, competencies, and readiness.
  • Detection and Analysis—the detection of a security incident in a production environment, and the analysis of all events to confirm the authenticity of the security incident.
  • Containment, Eradication, and Remediation—the required and appropriate actions needed to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident.
  • Post-Incident Activity—the analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection and Analysis phases.

Physical security

Office 365 customer data is stored in Microsoft datacenters that are geographically distributed and protected by layers of defense-in-depth security. Microsoft datacenters are built from the ground up to protect services and data from harm by natural disaster, environmental threats, or unauthorized access. Office 365 is designed for high availability and runs in geo-redundant datacenters with automatic failover capability.

Datacenter access is restricted 24 hours a day by job function, and monitored by using motion sensors, video surveillance, and security breach alarms. Physical access controls include perimeter fencing, secure entrances, on-premises security officers, continuous video surveillance, and real-time communications networks. Multiple authentication and security processes—including badges and smart cards, biometric scanners, and two-factor authentication—protect against unauthorized entry. Automated fire prevention and extinguishing systems and seismically braced racks protect against natural disaster.


Insider’s Guide to Social Engineering

Insider’s Guide to Social Engineering

Prevent breaches. Learn how to protect your company.

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support