Office 365 Security and Compliance

(Updated on December 17, 2014 to add information on Identity and Authentication)

One of the topics that I regularly discuss with my large global enterprise customers, based in the United States, is Office 365 security and compliance. There are many aspects to this conversation especially with my customers that are in highly regulated industries, including financial services and healthcare, and geographically distributed, most with employees based in the European Union.

Below are some of the key resources that I usually provide as follow-up items after our discussions. Hope these help.

Want to discuss further? Mention me in your post in the Security and Compliance group in the Office 365 Technical Network on Yammer.

General Information

  1. The Office 365 Trust Center should be your 1st stop for getting and staying up to date on the latest Office 365 security, privacy, and compliance related capabilities.
  2. Microsoft’s Cloud Security Alliance (CSA) Standard Response to Security Questions document goes deep into the various controls that Microsoft has in place for the operation and management of Office 365.
  3. Office 365 is regularly independently audited and certified against many industry standards including ISO 27001, EU model clauses, HIPAA BAA, and FISMA. More details can be found here.
  4. The Global Foundation Services site provides a virtual tour and deep information on how Microsoft manages the data centers that host Office 365 and other Microsoft enterprise cloud offerings such as Azure, Intune, and CRM Online.
  5. Multiple presentations on Office 365 security were recorded at the TechEd Conference in May and are freely available on Channel 9. Two of my favorites are Microsoft Office 365 Security, Privacy, and Compliance Overview and Microsoft Office 365 Security, Privacy, and Compliance Deep-Dive
  6. The Overview of Compliance in SharePoint Online, OneDrive for Business, and Office 365 session from the SharePoint Conference in March provides a great overview of the current state and roadmap.
  7. Speaking of roadmap, the Office 365 roadmap site provides information on many related recent updates and capabilities under development.
  8. There were also many Office 365 DLP, MDM, Compliance, and Security announcements from TechEd Europe in October.

Data Loss Prevention (DLP)

  1. Beginning with Exchange Online, Microsoft continues to make investments in DLP in Office 365. This Office 365 DLP overview presentation and  blog post are a great place to start.
  2. Here is a deeper technical dive on Exchange Online DLP features.
  3. SharePoint Online (including OneDrive for Business) has started to introduce DLP. A nice overview of what is currently available is here. The Use DLP in SharePoint Online and Assign eDiscovery permissions to OneDrive for Business sites articles provide the details on how to configure and begin using these new DLP features.
  4. There were also many DLP announcements from TechEd Europe that cover the roadmap for DLP in Office 365.


  1. Office 365 provides eDiscovery capabilities that span Exchange, Lync, SharePoint, and OneDrive for Business. Customers can also leverage a hybrid architecture to perform eDiscovery against on premises file shares. More information on eDiscovery in Office 365 can be found here.
  2. Microsoft’s legal team presented at the SharePoint Conference in March showing How Microsoft legal uses Office 365 eDiscovery
  3. Another great SharePoint Conference session to review is this End-to-end Microsoft eDiscovery in Office and Office 365 session.

Mobile Device Management (MDM)

  1. One of the big announcements from TechEd Europe in October was that built in MDM capabilities are being added to Office 365 soon. Get all of the details here in this blog post.
  2. These MDM capabilities being built into Office 365 are powered by Microsoft Intune, Microsoft’s device and app management solution for phones, tablets, and PCs.  Organizations that need protection beyond what’s included in Office 365 can subscribe to Intune and get additional device and app management capabilities.

Rights Management Services (RMS) & Encryption

  1. Microsoft’s RMS offering has evolved significantly over the past year and now supports encryption and decryption of non Microsoft files on non Microsoft devices. This blog post provides a great overview of what has been shipped in the new RMS offering and what Microsoft’s vision and strategy are here. The New RMS overview and Microsoft IRM overview sessions also provide additional information and demonstrations.
  2. Office 365 Message Encryption has also been released to support sending and receiving secure, encrypted messages between organizations.
  3. The Encryption in Office 365 session provides a great overview of encryption capabilities across Office 365 offerings.

Identity & Authentication

  1. Customers often have questions around how to create and manage user accounts in Office 365. Since I work with large enterprise customers, my customers typically leverage Office 365 Directory Synchronization and Federated Identities. More information on the various options available can be found here on TechNet. The Introduction to Microsoft Office 365 Identity Management and Microsoft Office 365 Directory Synchronization and Federation Options session recordings cover these topics in more depth.
  2. Microsoft recently released a new version of the Azure Active Directory Synchronization Services (AAD Sync) tool. This new tool addresses many common customer requests such as limiting the number of user attributes that get synchronized from a company's on premises AD environment to Azure AD and supporting the syncing from multiple AD forests.
  3. The IdFix tool is very helpful with preparing for Directory Synchronization.
  4. Many of my customers are using Active Directory Federation Services (ADFS) to limit access to Office 365 services based on the location of the client using client access policies.
  5. Some of my customers using ADFS also want to use an alternate ID for their users to use to log into Office 365 - instead of having to change their User Principal Name (UPN) field in Active Directory. This article summarizes how to accomplish this.
  6. This is a great checklist to help with setting up ADFS for Office 365.
  7. Customers can also choose to leverage third-party identity providers to implement single sign-on with Office 365. You will want to make sure that your provider is supported as part of the Works with Office 365 Identity program.
  8. Many customers leverage the built in Multi-Factor Authentication capabilities with Office 365.
  9. Office 2013 is also being updated to support Multi-Factor Authentication and SAML identity providers.
  10. Customers often want to automate the Office 365 license assignment process. PowerShell can be used to script this.