Encryption in the Microsoft Cloud

Customer data within Microsoft's enterprise cloud services is protected by a variety of technologies and processes, including various forms of encryption. (Office 365 customer data in this document includes Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments, and if applicable, Skype for Business content), SharePoint Online site content and the files stored within sites, and files uploaded to OneDrive for Business or Skype for Business.) Microsoft uses multiple encryption methods, protocols, and ciphers across its products and services to help provide a secure path for customer data to travel through our cloud services, and to help protect the confidentiality of customer data that is stored within our cloud services. Microsoft uses some of the strongest, most secure encryption protocols available to provide barriers against unauthorized access to customer data. Proper key management is also an essential element of encryption best practices, and Microsoft works to ensure that all Microsoft-managed encryption keys are properly secured.

Regardless of customer configuration, customer data stored within Microsoft's enterprise cloud services is protected using one or more forms of encryption. (Validation of our crypto policy and its enforcement is independently verified by multiple third-party auditors, and reports of those audits are available on the Service Trust Portal.)

Microsoft provides service-side technologies that encrypt customer data at rest and in transit. For example, for customer data at rest, Microsoft Azure uses BitLocker and DM-Crypt, and Microsoft Office 365 uses BitLocker, Azure Storage Service Encryption, Distributed Key Manager (DKM), and Office 365 service encryption. For customer data in transit, Azure, Office 365, Microsoft Commercial Support, Microsoft Dynamics 365, Microsoft Power BI, and Visual Studio Team Services use industry-standard secure transport protocols, such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS), between Microsoft datacenters and between user devices and Microsoft datacenters.

In addition to the baseline level of cryptographic security provided by Microsoft, our cloud services also include additional cryptography options that you can manage. For example, you can enable encryption for traffic between their Azure virtual machines (VMs) and their users. With Azure Virtual Networks, you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure as well as between the VMs located on your Virtual Network. In addition, In addition, new Office 365 Message Encryption capabilities allow you to send encrypted mail to anyone.

In accordance with the Public Key Infrastructure Operational Security Standard, which is a component of the Microsoft Security Policy, Microsoft leverages the cryptographic capabilities included in the Windows operating system for certificates and authentication mechanisms, which includes the use of cryptographic modules that meet the U.S. government's Federal Information Processing Standards (FIPS) 140-2 standard. (Relevant NIST certificate numbers for Microsoft can be found at https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.)

[NOTE] To access the Microsoft Security Policy as a resource, you must sign in using your work or school account. If you don't have a subscription yet, you can sign up for a free trial.

FIPS 140-2 is a standard designed specifically for validating product modules that implement cryptography rather than the products that use them. Cryptographic modules that are implemented within a service can be certified as meeting the requirements for hash strength, key management, and the like. Any time cryptographic capabilities are employed to protect the confidentiality, integrity, or availability of data in Microsoft's cloud services, the modules and ciphers used meet the FIPS 140-2 standard.

Microsoft certifies the underlying cryptographic modules used in our cloud services with each new release of the Windows operating system:

  • Azure and Azure U.S. Government
  • Dynamics 365 and Dynamics 365 U.S. Government
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense

Encryption of Office 365 customer data at rest is provided by multiple service-side technologies, including BitLocker, DKM, Azure Storage Service Encryption, and service encryption in Exchange Online, Skype for Business, OneDrive for Business, and SharePoint Online. Office 365 service encryption includes an option to use customer-managed encryption keys that are stored in Azure Key Vault. This customer-managed key option, called Office 365 Customer Key, is available for Exchange Online, SharePoint Online, Skype for Business, and OneDrive for Business.

For customer data in transit, all Office 365 servers negotiate secure sessions using TLS by default with client machines to secure customer data. This applies to protocols on any device used by clients, such as Skype for Business, Outlook, and Outlook on the web, mobile clients, and web browsers.

(All customer-facing servers negotiate to TLS 1.2 by default, but we also support negotiating down to a lower standard, if required.)