Set up encryption in Office 365 Enterprise

Encryption can protect your content from being read by unauthorized users. Because encryption in Office 365 can be done using various technologies and methods, there isn't one single place where you turn on or set up encryption. This article provides information about various ways you can set up or configure encryption as part of your information protection strategy.


If you are looking for more technical details about encryption, see Technical reference details about encryption in Office 365.

With Office 365, several encryption capabilities are available by default. Additional encryption capabilities can be configured to meet certain compliance or legal requirements. The following table describes several encryption methods for different scenarios.

Scenario Encryption Methods
Files are saved on Windows computers
Encryption at the computer level can be done using BitLocker on Windows devices. As an enterprise administrator or IT Pro, you can set this up using the Microsoft Deployment Toolkit (MDT). See Set up MDT for BitLocker.
Files are saved on mobile devices
Some kinds of mobile devices encrypt files that are saved to those devices by default. With Capabilities of built-in Mobile Device Management for Office 365, you can set policies that determine whether to allow mobile devices to access data in Office 365. For example, you can set a policy that allows only devices that encrypt content to access Office 365 data. See Create and deploy device security policies.
For additional control over how mobile devices interact with Office 365, you can consider adding Microsoft Intune.
You need control over the encryption keys used to encrypt your data in Microsoft's data centers
As an Office 365 administrator, you can control your organization's encryption keys and then configure Office 365 to use them to encrypt your data at rest in Microsoft's data centers.
Service encryption with Customer Key in Office 365
People are communicating via email (Exchange Online)
As an Exchange Online administrator, you have several options for configuring email encryption. These include:
Using Office 365 message encryption (OME) with Azure Rights Management (Azure RMS) to enable people to send encrypted messages inside or outside your organization
Using S/MIME for message signing and encryption to encrypt and digitally sign email messages
Using TLS to set up connectors for secure mail flow with another organization
See Email encryption in Office 365.
Files are accessed from team sites or document libraries (OneDrive for Business or SharePoint Online)
When people are working with files saved to OneDrive for Business or SharePoint Online, TLS connections are used. This is built into Office 365 automatically. See Data Encryption in OneDrive for Business and SharePoint Online.
Files are shared in online meetings and IM conversations (Skype for Business Online)
When people are working with files using Skype for Business Online, TLS is used for the connection. This is built into Office 365 automatically. See Security and Archiving (Skype for Business Online).
Files are shared in online meetings and IM conversations (Microsoft Teams)
When people are working with files using Microsoft Teams, TLS is used for the connection. This is built into Office 365 automatically. Microsoft Teams does not currently support inline rendering of encrypted email. To prevent encrypted email from landing in Microsoft Teams as encrypted, see Message Encryption FAQ.

Additional information

To learn more about file protection solutions that include encryption options, see File Protection Solutions in Office 365.