Security for Microsoft Search
This article applies to the Microsoft Search in Bing admin portal. We’re moving the portal to the Microsoft 365 admin center, and then the Microsoft Search in Bing portal will be removed. We recommend that you use the Microsoft 365 admin center to get started. Overview of Microsoft Search.
With enterprise-grade security, Microsoft Search always keeps your users and data protected.
Secure by default
Microsoft Search always ensures requests are made over HTTPS. This safeguard ensures the connection is encrypted end-to-end for enhanced security.
Authentication and authorization with Azure Active Directory
Authentication for Microsoft Search is tied to Azure Active Directory. When Microsoft Search users go to Bing, the Bing header will show sign-in options for a Microsoft account as well as a work or school account. If Bing can't determine whether a user is an eligible participant, users can go to the Explore Microsoft Search page, where they'll be automatically redirected to your organization's sign-in page.
Users can access Microsoft Search only through a work or school account. They need to sign in with the same credentials they use to access Office 365 services such as SharePoint or Outlook. A personal Microsoft account can't be used to sign in to Microsoft Search.
Users can't be signed in to Bing with both a Microsoft account and a work or school account at the same time.
If a user is already authenticated with their work or school account in another service, such as Outlook or SharePoint, they'll be automatically signed in to Microsoft Search when they go to Bing in the same browser. Also, when the user signs out of Microsoft Search, they'll be automatically signed out from other services in the same browser.
Communicates with the Trusted Cloud from the browser
When a user signs in with their work or school account, Bing will download the necessary client libraries to the browser to enable Microsoft Search results. Then, when they search, the in-browser code calls the Office 365 cloud to get work results. To do this, Microsoft Search uses a dedicated API that is Tier C (SOC2 Type 1) compliant pursuant to the Office 365 Compliance Framework for Industry Standards and Regulations (PDF download). This means work results and work data never flow through non-compliant Bing systems.
Work results retrieved from Office 365 workloads such as SharePoint and OneDrive for Business are security trimmed at the source. Users can't see resources such as Word documents or PowerPoint presentations they can't see and access through Office 365. They can only see their own files and files that have been shared with them by the author explicitly or implicitly (through a group membership, for example) in SharePoint.
Protects user queries from the public portion of Bing
Because work-related searches may be sensitive, Microsoft Search has implemented a set of trust measures for how these are handled by the public web results part of Bing.
Regardless of whether a user query contains one or more work results in the returned response, the following measures are taken:
- All search logs pertaining to Microsoft Search traffic are de-identified. They're retained for 18 months.
- Queries stored in these system logs will only be used to model and train public features such as autosuggest or related searches for public web results when a set of restrictions and frequency thresholds are met, which gives us confidence that these queries are common and not specific to a particular organization. The query must appear a significant amount of times in corelating data from non-Microsoft Search users, and the query must not trigger exclusively enterprise search results. Queries that do not meet these requirements will be stored separately from public, non-Microsoft Search traffic.
- Restricted access is managed via various secure mechanisms, including security groups and other layers within the engineering system.
- When signed in with a work or school account, a user's search history won't be available on other computers or devices.
- Enterprise search queries are never shared with or suggested to advertisers.
- Ads are never targeted to a user based on their work identity or organization.
The May 21, 2018, blog post from Microsoft reflects our commitment to GDPR compliance and how Microsoft helps businesses and organizations with their own GDPR compliance obligations. You can find additional detail in the Microsoft Trust Center FAQ. Microsoft Search queries that operate against organizational customers' Customer Data within the Online Services will also meet the processor commitments outlined in Article 28 as reflected in the Trust Center FAQ. With respect to queries from Microsoft Search that go to public Bing, Microsoft is a data controller and has implemented measures to de-identify the queries as outlined under GDPR.