Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
What role does encryption play in protecting customer content?
Most Microsoft business cloud services are multitenant, meaning that customer content might be stored on the same physical hardware as other customers. To protect the confidentiality of customer content, Microsoft online services encrypt all data at rest and in transit with some of the strongest and most secure encryption protocols available.
Encryption isn't a substitute for strong access controls. Microsoft's access control policy of Zero Standing Access (ZSA) protects customer content from unauthorized access by Microsoft employees. Encryption complements access control by protecting the confidentiality of customer content wherever it's stored and by preventing content from being read while in transit between Microsoft online services systems or between Microsoft online services and the customer.
How do Microsoft online services encrypt data-at-rest?
Microsoft online services protect all customer content with one or more forms of encryption. Microsoft servers use BitLocker to encrypt the disk drives containing customer content at the volume level. The encryption that BitLocker provides protects customer content if there are lapses in other processes or controls (for example, access control or recycling of hardware) that could lead to unauthorized physical access to disks containing customer content.
In addition to volume-level encryption, Microsoft online services use encryption at the application layer to encrypt customer content. Service encryption provides rights protection and management features on top of strong encryption protection. It also allows for separation between Windows operating systems and the customer data stored or processed by those operating systems.
How do Microsoft online services encrypt data-in-transit?
Microsoft online services use strong transport protocols, such as Transport Layer Security (TLS), to prevent unauthorized parties from eavesdropping on customer data while it moves over a network. Examples of data in transit include mail messages that are in the process of being delivered, conversations taking place in an online meeting, or files being replicated between datacenters.
For Microsoft online services, data is considered 'in transit' whenever a user's device is communicating with a Microsoft server, or a Microsoft server is communicating with another server.
How do Microsoft online services manage the keys used for encryption?
Strong encryption is only as secure as the keys used to encrypt data. Microsoft uses its own security certificates and associated keys to encrypt TLS connections for data-in-transit. For data-at-rest, BitLocker-protected volumes are encrypted with a full volume encryption key, which is encrypted with a volume master key, which in turn is bound to the Trusted Platform Module (TPM) in the server. BitLocker uses FIPS 140-2 compliant algorithms to ensure that encryption keys are never stored or sent over the wire in the clear.
Service encryption provides another layer of encryption for customer data-at-rest, giving customers two options for encryption key management: Microsoft-managed keys or Customer Key. When you use Microsoft-managed keys, Microsoft online services automatically generate and securely store the root keys used for service encryption.
Customers with requirements to control their own root encryption keys can use service encryption with Microsoft Purview Customer Key. With Customer Key, customers can generate their own cryptographic keys by using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Customer root keys are stored in AKV, where they can be used as the root of one of the keychains that encrypts customer mailbox data or files. Microsoft online service code can only access customer root keys indirectly for data encryption, and Microsoft employees can't access them directly.
Related external regulations and certifications
Microsoft regularly audits its online services for compliance with external regulations and certifications. For validation of controls related to encryption and key management, see the following table.
Azure and Dynamics 365
| External audits | Section | Latest report date |
|---|---|---|
| ISO 27001 Statement of Applicability Certificate |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
May 22, 2025 |
| ISO 27017 Statement of Applicability Certificate |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
May 22, 2025 |
| ISO 27018 Statement of Applicability Certificate |
A.11.6: Encryption of PII transmitted over public data transmission networks | May 22, 2025 |
| SOC 1 SOC 2 SOC 3 |
DS-1: Secure storage of cryptographic certificates and keys DS-2: Customer data is encrypted in-transit DS-3: Internal communication of Azure components encrypted in-transit DS-4: Cryptographic controls and procedures |
August 27, 2025 |
Microsoft 365
| External audits | Section | Latest report date |
|---|---|---|
| FedRAMP | SC-8: Transmission confidentiality and integrity SC-13: Use of cryptography SC-28: Protection of information at rest |
August 21, 2024 |
| ISO 27001/27017 Statement of Applicability Certification (27001) Certification (27017) |
A.10.1: Cryptographic controls A.18.1.5: Cryptographic controls |
March 2022 |
| ISO 27018 Statement of Applicability Certificate |
A.11.6: Encryption of PII transmitted over public data transmission networks | March 2022 |
| SOC 2 | CA-44: Data-in-transit encryption CA-54: Data-at-rest encryption CA-62: Customer Key mailbox encryption CA-63: Customer Key data deletion CA-64: Customer Key |
February 26, 2025 |
| SOC 3 | CUEC-16: Customer encryption keys CUEC-17: Customer Key vault CUEC-18: Customer Key rotation |
February 26, 2025 |