Architecture overview

What are Microsoft online services?

Microsoft online services refer to the cloud-based services offered by Microsoft, which includes Azure, Dynamics 365, and Microsoft 365. Each service offers unique solutions to common business operation and productivity needs, serving customers around the world ranging from small businesses to large enterprises and governments. Globally distributed datacenters connected by Microsoft's independently managed network infrastructure act as the backbone to support online services, providing the ability to sustain availability in almost every situation and scale to massive worldwide demand.

All Microsoft online services have the same goal of safeguarding the service infrastructure they manage and their customers' data, but each online service is operated by a separate business unit. In many instances, security controls are implemented in the same way across all services, but in some cases, they take a different approach to fulfilling their customer promises and compliance obligations.

What is Azure?

Microsoft Azure is a cloud computing platform for building, deploying, and managing applications through a global network of Microsoft and third-party managed datacenters. It supports both Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud service models, and enables hybrid solutions that integrate cloud services with customers' on-premises resources. Microsoft Azure supports many customers, partners, and government organizations that span across a broad range of products and services, geographies, and industries. Microsoft Azure is designed to meet their security, confidentiality, and compliance requirements.

What is Dynamics 365?

Dynamics 365 is an online business application suite that integrates the Customer Relationship Management (CRM) capabilities and its extensions with the Enterprise Resource Planning (ERP) capabilities. These end-to-end business applications help customers turn relationships into revenue, earn customers, and accelerate business growth. Dynamics 365 is a Software as a Service (SaaS) suite built on Azure's infrastructure and is made available to customers around the world through their globally distributed datacenters.

What is Microsoft 365?

Microsoft 365 is the cloud-powered, subscription-based version of Office, Windows 10, Enterprise Mobility + Security, and Compliance. Microsoft 365 customers get clients such as Outlook and Windows, and they also benefit from services that Microsoft hosts on their behalf, such as Exchange Online, Microsoft Teams, and SharePoint Online. All components of the service are regularly updated as part of the subscription model, so that our customers have an 'evergreen' product. Microsoft manages the service infrastructure on behalf of customers, meaning that Microsoft is responsible for securing the infrastructure that stores customer data.

In terms of scale, Microsoft currently uses close to a million machines to power Microsoft 365 services. The infrastructure powering these services varies widely across service-specific hardware and virtualized environments in Azure, Windows and Linux, and multi-tenant and dedicated platforms. Microsoft 365 is a global business, and our infrastructure is distributed in datacenters around the world, enabling our customers to meet data residency and sovereignty requirements.

How do Microsoft online services ensure isolation between customer tenants?

Microsoft's cloud services are built on the assumption that all tenants are potentially hostile to all other tenants. To properly isolate tenants from one another, Microsoft implements various isolation technologies and controls. These controls are designed to safeguard against information leakage or unauthorized access to customer data across tenants and to prevent the actions of one tenant from adversely affecting the service for another tenant.

Customer content is logically isolated within tenants using Azure Active Directory (Azure AD). User authentication in Microsoft online services verifies not only the user identity, but also the tenant identity the user account is part of, preventing users from accessing data outside their tenant environment. To supplement the logical isolation of Azure AD, customer content is always encrypted at rest and in transit. Individual services may also provide additional layers of tenant isolation, such as SharePoint Online isolation of tenant data in separate, encrypted databases.

How do Microsoft online services engineer resilient services that avoid single points of failure?

Microsoft designs and builds cloud services to maximize reliability and minimize the negative effects on customers in the face of faults and challenges to normal operations. This strategy begins with the design of the network connecting our geographically distributed datacenters. Microsoft's network architecture includes direct interconnections and multiple network paths. Microsoft online services use this redundancy to automatically route traffic around failures to improve service quality.

Wherever possible, Microsoft online services are deployed in active/active configurations with automated service health monitoring, allowing the service to detect and recover from many common faults and failures without human intervention. In addition to active/active configurations, Microsoft online services increase fault-tolerance by ensuring the service is deployed in separate fault zones, preventing a fault in one zone from affecting the availability of other zones.

Data resiliency complements service resiliency by protecting the integrity and availability of data in Microsoft online services. Our services use local storage redundancy and geo-redundancy to replicate copies of customer data into different fault zones. If data is corrupted or lost in one fault zone, it can be accessed in another fault zone without loss of availability. Automated integrity checking automatically restores data impacted by many kinds of physical or logical corruption. Microsoft also provides customers with tools to restore data accidentally deleted or modified by the customer in services such as Exchange Online and SharePoint Online.

How do Microsoft online services track dependencies and prevent unauthorized external system connections?

Microsoft online services teams identify critical system components and their dependencies as part of Business Continuity Management. In addition, Microsoft documents and tracks all external system connections to ensure only authorized connections are allowed in network firewall configurations. Microsoft online services systems, dependencies, and external connections are documented in Microsoft online services' information security architecture. Both the information security architecture and corresponding data flow diagrams are reviewed and updated annually at a minimum, as well as whenever significant changes are made to the system.

Microsoft online services architecture is validated regularly and automatically using cloud-based tools to verify alignment with our security principles and to continuously test isolation and resiliency features. Architectural validation works to automatically identify instances where the current state of the service has drifted from the desired state, flagging any deviations for review and mitigation. The goal of architecture validation is to ensure the security capabilities of our service infrastructure continue to function as expected.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to architecture.

Azure and Dynamics 365

External audits Section Latest report date
ISO 27001/27002

Statement of Applicability
Certification
A.6: Organization of information security
A.13.1: Network security management
A.17.2: Redundancies
December 3, 2021
ISO 27017

Statement of Applicability
Certification
A.6: Organization of information security
A.13.1: Network security management
A.17.2: Redundancies
December 3, 2021
SOC 1
SOC 2
SOC 3
BC-1: Business continuity plans
BC-3: BCDR procedures
BC-4: BCDR testing
BC-5: Business continuity risk assessments
BC-6: Third-party business continuity
BC-7: Datacenter business continuity procedures
BC-8: Datacenter business continuity testing
BC-9: Datacenter resiliency assessment
DS-6: Redundancy of critical components
DS-7: Replication of customer data
DS-14: Restoration of customer services
DS-16: Customer data segregation
September 30, 2021
November 12, 2021
November 12, 2021

Office 365

External audits Section Latest report date
FedRAMP AC-4: Information flow enforcement
CP-9: Information system backup
PL-8: Information security architecture
SC-7: Boundary protection
SC-22: Architecture and provisioning
September 24, 2021
ISO 27001/27002/27017

Statement of Applicability
Certification (27001/27002)
Certification (27017)
A.6: Organization of information security
A.13.1: Network security management
A.17.2: Redundancies
March 2022
SOC 1 CA-37: Tenant isolation
CA-49: Backup policies
CA-51: Data replication
September 30, 2021
SOC 2 CA-05: Data flow diagrams
CA-37: Tenant isolation
CA-49: Backup policies
CA-51: Data replication
September 30, 2021