Male and female co-workers in a meeting room working on multiple tasks together

Microsoft Office 365

Ensure data privacy, compliance, and cybersecurity with Office 365. Built-in features that support the General Data Protection Regulation compliance, privacy by design, and transparent operations safeguard your organization’s data.


Keeping data secure in the Trusted Cloud

Office 365 provides online solutions that help increase productivity and improve collaboration. Our Trusted Cloud services help organizations safeguard data while remaining compliant with industry and regional requirements.

Find out more about Office 365
Microsoft Office 365 securitySecure identitySecure apps and dataSecure infrastructure

Office 365 is a cloud-based service designed to help meet your organization’s needs for robust security, reliability, and user productivity, to help save time and money.

When you move your organization to a cloud service, you must be able to trust your service provider with your most important, sensitive, and confidential data or choose to move only your least sensitive data to the cloud. Because security is paramount for business success, Microsoft has robust policies, controls, and systems built into Office 365 to help keep your information safe. Office 365 is designed on the principles of the Security Development Lifecycle, a mandatory Microsoft process that embeds security requirements into every phase of development.

Microsoft-managed service-level security technologies and policies are enabled by default, and customer-managed controls allow you to customize your Office 365 environment to fit your organization’s security needs. Office 365 is continuously updated to enhance security.

Data you put into Office 365 belongs to you, that means you have complete control of it. We give you extensive privacy controls and visibility into where your data resides and who has access to it, as well as availability and changes to the subscription service. If you end your subscription, you can take your data with you at any time.

Office 365 uses Azure Active Directory (Azure AD) to manage users and to provide authentication, identity management, and access control. Azure AD capabilities include a cloud-based store for directory data and a core set of identity services, such as user logon processes, authentication services, and federation services. These identity services easily integrate with your on-premises Azure AD deployments and fully support third-party identity providers. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

Office 365 uses Multi-Factor Authentication, managed from the Office 365 admin center, to help provide extra security. Office 365 offers the following subset of Azure Multi-Factor Authentication capabilities as a part of the subscription:

  • Ability to enable and enforce Multi-Factor Authentication for end users
  • Use of a mobile app (online and one-time password) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of a Short Message Service (SMS) message as a second authentication factor
  • Application passwords for non-browser clients (for example, the Skype for Business client software)
  • Default Microsoft greetings during authentication phone calls
Learn how to plan for Multi-Factor Authentication for Office 365 deployments

Office 365 uses service-side technologies that encrypt customer data at rest and in transit. For customer data at rest, Office 365 uses BitLocker for volume-level encryption and Service Encryption for mailbox-level and file-level encryption. Service Encryption also includes a bring your own key option. For customer data in transit, Office 365 uses multiple encryption technologies for communications between datacenters and between clients and servers, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Irrespective of customer configuration, customer data stored within Office 365 is encrypted. Validation of Microsoft’s cryptographic policy and its enforcement has been independently verified by multiple third-party auditors. For more information, see Encryption in the Microsoft Cloud.

Multi-tenancy is a primary benefit of cloud computing. This is the ability to share common infrastructure across numerous customers simultaneously, leading to economies of scale. Microsoft continuously works to ensure that the multi-tenant architecture of Office 365 supports enterprise-level security, confidentiality, privacy, integrity, and availability standards. Based upon the significant experience gathered from the (now retired) Trustworthy Computing program and the Security Development Lifecycle, Microsoft cloud services, including Office 365, were designed with the assumption that all tenants are potentially hostile to all other tenants. Thus, multiple forms of protection have been implemented throughout Office 365 to prevent customers from compromising Office 365 services or applications, or gaining unauthorized access to the information of other tenants or the Office 365 system itself. For details on how data isolation between tenants is achieved, see Tenant Isolation in Microsoft Office 365.

Microsoft automates most Office 365 operations, while intentionally limiting its own access to customer content. This enables us to manage Office 365 at scale, and address the risks of internal threats to customer content such as a malicious actor or the spear-phishing of a Microsoft engineer. By default, Microsoft engineers have zero-standing administrative privileges and zero-standing access to customer content in Office 365. A Microsoft engineer may have limited, audited, secured access to a customer’s content for a limited amount of time when necessary for service operations and only when approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, by the customer). For details on Customer Lockbox and other access control features, see Administrative Access Controls in Microsoft Office 365.

In addition to the controls implemented and managed by Microsoft, Office 365 allows you to manage your data in the cloud like you manage your data in on-premises environments. The global admin has access to all features in the admin centers, and can create or edit users, perform administrative tasks, and assign admin roles to others. You can also control how users access information from specific devices or specific locations, or a combination of both. For additional information, see Controlling Access to Office 365 and Protecting Content on Devices.

Office 365 uses defense-in-depth security principles to protect against internal and external risks. The scale and global nature of the Microsoft footprint allows us to use strategies and techniques for defending against network attacks that few providers or customer organizations can match. The cornerstone of our strategy is using our global presence to engage with internet providers, public and private peering providers, and private corporations all over the world, giving us a significant internet presence. This enables Microsoft to detect and defend against attacks across a very large surface area. For more information about how Microsoft defends its cloud services against attacks, see Defending the Microsoft Cloud against denial-of-service attacks.

Threat management strategy for Office 365 involves identifying a potential threat’s intent, capability, and probability of successful exploitation of a vulnerability. The controls used to safeguard against such exploitations are founded upon industry security standards and best practices. Office 365 provides robust email protection against spam, viruses, and malware with Exchange Online Protection. Office 365 also offers Advanced Threat Protection (ATP), an email filtering service that provides additional protection against specific types of advanced threats.

Office 365 users today are on the move and need access wherever they are, using a variety of devices. You can use Microsoft Intune mobile-device management to manage and protect devices across Windows, Apple iOS, and Android platforms. You can identify, monitor, and protect sensitive information with data-loss prevention controls in mobile application management.

The Office 365 process for managing a security incident conforms to the approach prescribed by the National Institute of Standards and Technology (NIST) in NIST 800-61. The Microsoft security incident response includes several dedicated teams that work together to prevent, monitor, detect, and respond to security incidents. Office 365 security teams take the same approach to security incidents, which includes the following NIST 800-61 response management phases:

  • Preparation—The organizational preparation needed to respond to an incident, including tools, processes, competencies, and readiness.
  • Detection and Analysis—The detection of a security incident in a production environment, and the analysis of all events to confirm the authenticity of the security incident.
  • Containment, Eradication, and Remediation—The required and appropriate actions needed to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident.
  • Post-Incident Activity—The analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection and Analysis phases.

For additional information, see Security Incident Management in Microsoft Office 365.

Office 365 customer data is stored in Microsoft datacenters that are geographically distributed and protected by layers of defense-in-depth security. Microsoft datacenters are built from the ground up to protect services and data from harm by natural disaster, environmental threats, or unauthorized access. Office 365 is designed for high availability and runs in geo-redundant datacenters with automatic failover capability.

Datacenter access is restricted 24 hours a day by job function, and is monitored by using motion sensors, video surveillance, and security breach alarms. Physical access controls include perimeter fencing, secure entrances, on-premises security officers, continuous video surveillance, and real-time communications networks. Multiple authentication and security processes—including badges and smart cards, biometric scanners, and two-factor authentication—protect against unauthorized entry. Automated fire prevention and extinguishing systems and seismically braced racks protect against natural disaster.

Take a virtual datacenter tour

Get to know Office 365

Get a free trial subscription to Office 365, a comprehensive, secure cloud productivity and communication solution.