Share via

Encryption for data-in-transit

In addition to protecting customer data at rest, Microsoft uses encryption technologies to protect customer data in transit. Data is in transit:

  • When a client machine communicates with a Microsoft server
  • When a Microsoft server communicates with another Microsoft server
  • When a Microsoft server communicates with a non-Microsoft server (for example, Exchange Online delivering email to a third-party email server)

Inter-datacenter communications between Microsoft servers take place over TLS or IPsec, and all customer-facing servers negotiate a secure session using TLS with client machines. For example, Exchange uses TLS 1.2 with 256-bit cipher strength (FIPS 140-2 Level 2-validated). See Technical reference details about encryption for a list of TLS cipher suites supported by Microsoft 365. This information applies to the protocols that clients such as Outlook, Microsoft Teams, and Outlook on the web use (for example, HTTP, POP3, and so on).

Microsoft IT SSL issues the public certificates by using SSLAdmin, an internal Microsoft tool that protects the confidentiality of transmitted information. All certificates issued by Microsoft IT have a minimum length of 2,048 bits. Webtrust compliance requires SSLAdmin to make sure that certificates are issued only to public IP addresses owned by Microsoft. Any IP addresses that don't meet this criterion go through an exception process.

All implementation details, such as the version of TLS being used, whether Forward Secrecy is enabled, and the order of cipher suites, are publicly available. One way to see these details is to use a third-party website, such as Qualys SSL Labs. The following links go to automated test pages from Qualys that display information for these services:

For Exchange Online Protection, URLs vary by tenant names. However, all customers can test Microsoft 365 by using microsoft-com.mail.protection.outlook.com.