Set up encryption in Microsoft 365 Enterprise

Encryption can protect your content from being read by unauthorized users. Because encryption in Microsoft 365 can be done using various technologies and methods, there isn't one single place where you turn on or set up encryption. This article provides information about various ways you can set up or configure encryption as part of your information protection strategy.

Tip

If you are looking for more technical details about encryption, see Technical reference details about encryption.

With Microsoft 365, several encryption capabilities are available by default. Additional encryption capabilities can be configured to meet certain compliance or legal requirements. The following table describes several encryption methods for different scenarios.

Scenario	Encryption Methods
Files are saved on Windows computers	Encryption at the computer level can be done using BitLocker on Windows devices. As an enterprise administrator or IT Pro, you can set this up using the Microsoft Deployment Toolkit (MDT). See Set up MDT for BitLocker.
Files are saved on mobile devices	Some kinds of mobile devices encrypt files that are saved to those devices by default. With Capabilities of built-in Mobile Device Management for Office 365, you can set policies that determine whether to allow mobile devices to access data in Microsoft 365. For example, you can set a policy that allows only devices that encrypt content to access Microsoft 365 data. See Create and deploy device security policies. For additional control over how mobile devices interact with Microsoft 365, consider adding Microsoft Intune.
You need control over the encryption keys used to encrypt your data in Microsoft's data centers	As an administrator, you can control your organization's encryption keys and then configure Microsoft 365 to use them to encrypt your data at rest in Microsoft's data centers. For information, see Overview of Customer Key.
People are communicating via email (Exchange Online)	As an Exchange Online administrator, you have several options for configuring email encryption. These include message encryption to enable people to send encrypted messages inside or outside your organization, S/MIME to encrypt and digitally sign email messages, and TLS to set up connectors for secure mail flow with another organization. For overviews, see Email encryption and Encryption.
Files are accessed from team sites or document libraries (OneDrive for Business or SharePoint Online)	When people are working with files saved to OneDrive for Business or SharePoint Online, TLS connections are used. This is built into Microsoft 365 automatically. See Data Encryption in OneDrive for Business and SharePoint Online.
Files are shared in online meetings and IM conversations (Skype for Business Online)	When people are working with files using Skype for Business Online, TLS is used for the connection. This is built into Microsoft 365 automatically. See Security and Archiving (Skype for Business Online).
Files are shared in online meetings and IM conversations (Microsoft Teams)	When people are working with files using Microsoft Teams, TLS is used for the connection. This is built into Microsoft Teams automatically. Microsoft Teams does not currently support inline rendering of encrypted email. To prevent encrypted email from landing in Microsoft Teams as encrypted, see Message Encryption FAQ.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Additional information

To learn more about file protection solutions that include encryption options, see File Protection Solutions in Office 365.