Automated and manual analyses help identify possible vulnerabilities. For more information about the built-in physical and logical security from Microsoft 365, see Built-in security from Microsoft 365.Īpplication security: Engineers who build features follow the security development lifecycle. We administer the service with dedicated Active Directory domains, we have separate domains for test and production, and the production domain is divided into multiple isolated domains for reliability and security.
Network protection: The networks and identities are isolated from the Microsoft corporate network. Intrusion detection alerts monitor anomalous activity. There are on-premises security officers, motion sensors, and video surveillance. Their identities are verified with multiple factors of authentication, including smart cards and biometrics. Physical protection: Only a limited number of essential personnel can gain access to datacenters. We won't make authenticated connections over HTTP but, instead, redirect to HTTPS. For info, see Data Encryption in OneDrive and SharePoint. When data transits into the service from clients, and between datacenters, it's protected using best-in-class encryption. Protected in transit and at rest Protected in transit
Create DLP policies to identify documents and prevent them from being shared. Prevent accidental exposure of sensitive content. See Manage external sharing for your SharePoint environment. You can require sign-in or use links that expire or grant limited privileges. Read more at Control access based on network location or app.Įmpower workers to share broadly but safely. These simulate the access model of an on-premises deployment. For information, see Sign out inactive users.Įvaluate the need for IP-based sessions. See Control access from unmanaged devices.Ĭreate policies to sign users out of Microsoft 365 web sessions after a period of inactivity. Use Azure Active Directory device-based conditional access to block or limit access on unmanaged devices like airport or hotel kiosks. Other things we recommend to increase security:
For info about how to do this, see Set up multi-factor authentication for Microsoft 365 users. When you roll out two-factor authentication, start with your Global Administrators, and then other admins and site collection admins. The second factor can be made through a phone call, text message, or app. This prevents credentials from being used without a second factor and mitigates the impact of compromised passwords. One of the most important things you can do to safeguard your data is to require two-factor authentication for your identities in Microsoft 365. To learn how to turn on or off Customer Lockbox and approve and deny requests, see Microsoft Purview Customer Lockbox Requests. The engineer gets access only to the file in question. You can also turn on a feature called Customer Lockbox, so you need to approve the request. An audit event is generated that you can view in the Microsoft 365 admin center. In rare cases where Microsoft engineers need access to content (for example, if you submit a support ticket because a user can't access an important file that we believe is damaged), the engineers must check in a specific workflow that requires business justification and manager approval. Eligibility is checked, and if engineer access is approved, it's only for a limited time. When engineers need access, they must request it.
No engineer has standing access to the service.
Check-ins to the service require code review and management approval. We perform day-to-day tasks by running workflows so we can rapidly respond to new situations. Microsoft engineers administer SharePoint and OneDrive using a PowerShell console that requires two-factor authentication. For more info about the ownership of your data, see Microsoft 365 Privacy by Design. When you put your data in SharePoint and OneDrive for Microsoft 365, you remain the owner of the data.