Encryption in the Microsoft cloud

Customer data within Microsoft's enterprise cloud services is protected by several technologies and processes, including various forms of encryption. (Customer data in this document includes Exchange Online mailbox content, e-mail body, calendar entries, and the content of e-mail attachments, and if applicable, Skype for Business content, SharePoint site content, and the files stored within sites, and files uploaded to OneDrive or Skype for Business.) Microsoft uses multiple encryption methods, protocols, and ciphers across its products and services. Encryption helps provide a secure path for customer data to travel through our cloud services, and helps protect the confidentiality of customer data stored within our cloud services. Microsoft uses some of the strongest, most secure encryption protocols available to provide barriers against unauthorized access to customer data. Proper key management is also an essential element of encryption best practices, and Microsoft works to ensure that all Microsoft-managed encryption keys are properly secured.

Customer data stored within Microsoft's enterprise cloud services is protected using one or more forms of encryption. (Multiple non-Microsoft auditors independently validate our crypto policy and its enforcement. Reports of those audits are available on the Service Trust Portal.)

Microsoft provides service-side technologies that encrypt customer data at rest and in transit. For example, for customer data at rest, Microsoft Azure uses BitLocker and DM-Crypt, and Microsoft 365 uses BitLocker, Azure Storage Service Encryption, Distributed Key Manager (DKM), and Microsoft 365 service encryption. For customer data in transit, Azure, Office 365, Microsoft Commercial Support, Microsoft Dynamics 365, Microsoft Power BI, and Visual Studio Team Services use industry-standard secure transport protocols, such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS), between Microsoft datacenters and between user devices and Microsoft datacenters.

In addition to the baseline level of cryptographic security provided by Microsoft, our cloud services also include cryptography options that you can manage. For example, you can enable encryption for traffic between their Azure virtual machines (VMs) and their users. With Azure Virtual Networks, you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure. You can also encrypt traffic between the VMs on your virtual network. In addition, Microsoft Purview Message Encryption allows you to send encrypted mail to anyone.

Following the Public Key Infrastructure Operational Security Standard, which is a component of the Microsoft Security Policy, Microsoft uses the cryptographic capabilities included in the Windows operating system for certificates and authentication mechanisms. These mechanisms include the use of cryptographic modules that meet the U.S. government's Federal Information Processing Standards (FIPS) 140-2 standard. You can search for the relevant National Institute of Standards and Technology (NIST) certificate numbers for Microsoft using the Cryptographic Module Validation Program (CMVP).

[NOTE] The Microsoft Security Policy is not made available as a public download. For information about the policy, contact Microsoft.

FIPS 140-2 is a standard designed specifically for validating product modules that implement cryptography rather than the products that use them. Cryptographic modules that are implemented within a service can be certified as meeting the requirements for hash strength, key management, and the like. The cryptographic modules and ciphers used to protect the confidentiality, integrity, or availability of data in Microsoft's cloud services meet the FIPS 140-2 standard.

Microsoft certifies the underlying cryptographic modules used in our cloud services with each new release of the Windows operating system:

  • Azure and Azure U.S. Government
  • Dynamics 365 and Dynamics 365 U.S. Government
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense

Encryption of customer data at rest is provided by multiple service-side technologies, including BitLocker, DKM, Azure Storage Service Encryption, and service encryption in Exchange, OneDrive, and SharePoint. Microsoft 365 service encryption includes an option to use customer-managed encryption keys that are stored in Azure Key Vault. This customer-managed key option is called Customer Key, and is available for Exchange, SharePoint, OneDrive, Teams files, and Windows 365 Cloud PCs (in public preview).

For customer data in transit, all Office 365 servers negotiate secure sessions using TLS by default with client machines to secure customer data. For example, Office 365 negotiates secure sessions to Skype for Business, Outlook, Outlook on the web, mobile clients, and web browsers.

(All customer-facing servers negotiate to TLS 1.2 by default.)

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.