Architecture overview

What is Microsoft 365?

Microsoft 365 is the cloud-powered, subscription-based version of Office, Windows 10, Enterprise Mobility + Security, and Compliance. Microsoft 365 customers get clients such as Outlook and Windows, and they also benefit from services that Microsoft hosts on their behalf, such as Exchange Online, Microsoft Teams, and SharePoint Online. All components of the service are regularly updated as part of the subscription model, so that our customers have an 'evergreen' product. Microsoft manages the service infrastructure on behalf of customers, meaning that Microsoft is responsible for securing the infrastructure that stores customer data.

In terms of scale, we currently use close to a million machines to power Microsoft 365 services. The infrastructure powering these services varies widely across service-specific hardware and virtualized environments in Azure, Windows and Linux, and multi-tenant and dedicated platforms. Microsoft 365 is a global business, and our infrastructure is distributed in datacenters around the world, enabling our customers to meet data residency and sovereignty requirements.

In short, the service is complex, runs at incredible scale, and requires thousands of Microsoft engineers to build and maintain. It is our top priority for us to keep all this infrastructure secure.

How does Microsoft 365 ensure isolation between customer tenants?

Microsoft's cloud services are built on the assumption that all tenants are potentially hostile to all other tenants. To properly isolate tenants from one another, Microsoft implements a variety of isolation technologies and controls. These controls are designed to safeguard against information leakage or unauthorized access to customer data across tenants and to prevent the actions of one tenant from adversely affecting the service for another tenant.

Customer content is logically isolated within Microsoft 365 tenants using Azure Active Directory (Azure AD). User authentication in Microsoft 365 verifies not only the user identity, but also the tenant identity the user account is part of, preventing users from accessing data outside their tenant environment. To supplement the logical isolation of Azure AD, customer content is always encrypted at rest and in transit. Individual services may also provide additional layers of tenant isolation, such as SharePoint Online isolation of tenant data in separate, encrypted databases.

How does Microsoft 365 engineer resilient services that avoid single points of failure?

Microsoft designs and builds cloud services to maximize reliability and minimize the negative effects on customers in the face of faults and challenges to normal operations. This strategy begins with the design of the network connecting our geographically distributed datacenters. Microsoft's network architecture includes direct interconnections and multiple network paths. Microsoft 365 services leverage this redundancy to automatically route traffic around failures to improve service quality.

At the service level, Microsoft 365's resilience strategy prioritizes software resiliency. Wherever possible, our services are deployed in active/active configurations with automated service health monitoring, allowing the service to detect and recover from many common faults and failures without human intervention. In addition to active/active configurations, Microsoft 365 services increase fault-tolerance by ensuring the service is deployed in separate fault zones, preventing a fault in one zone from affecting the availability of other zones.

Data resiliency complements service resiliency by protecting the integrity and availability of data in Microsoft 365 services. Our services use local storage redundancy and geo-redundancy to replicate copies of customer data into different fault zones. If data is corrupted or lost in one fault zone, it can be accessed in another fault zone without loss of availability. Automated integrity checking automatically restores data impacted by many kinds of physical or logical corruption. Microsoft 365 also provides customers with tools to restore data accidentally deleted or modified by the customer in Exchange Online and SharePoint Online.

How does Microsoft 365 track dependencies and prevent unauthorized external system connections?

Microsoft 365 service teams identify critical system components and their dependencies as part of Business Continuity Management. In addition, Microsoft 365 documents and tracks all external system connections to ensure only authorized connections are allowed in network firewall configurations. Microsoft 365 systems, dependencies, and external connections are documented in Microsoft 365's information security architecture. Both the information security architecture and corresponding data flow diagrams are reviewed and updated annually at a minimum, as well as whenever significant changes are made to the system.

Microsoft 365 architecture is validated regularly and automatically using cloud-based tools to verify alignment with our security principles and to continuously test isolation and resiliency features. Architectural validation works to automatically identify instances where the current state of the service has drifted from the desired state, flagging any deviations for review and mitigation. The goal of architecture validation is to ensure the security capabilities of our service infrastructure continue to function as expected.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to the architecture of Microsoft 365.

External audits Section Latest report date
FedRAMP (Office 365) AC-4: Information flow enforcement
CP-9: Information system backup
PL-8: Information security architecture
SC-7: Boundary protection
SC-22: Architecture and provisioning
September 24, 2020
ISO 27001/27002 (Office 365)

Statement of Applicability
Certification
A.6: Organization of information security
A.13.1: Network security management
A.17.2: Redundancies
February 22, 2020
ISO 27017 (Office 365)

Statement of Applicability
Certification
A.6: Organization of information security
A.13.1: Network security management
February 22, 2020
SOC 1 (Office 365) CA-37: Tenant isolation
CA-49: Backup policies
CA-51: Data replication
December 24, 2020
SOC 2 (Office 365) CA-05: Data flow diagrams
CA-37: Tenant isolation
CA-49: Backup policies
CA-51: Data replication
December 24, 2020