en flag +1 214 306 68 37

Office 365 security in questions and answers

Sandra Lupanava

Sandra Lupanava

Sandra Lupanava

Sandra Lupanava

Sandra is SharePoint Evangelist at ScienceSoft, a software development and consulting company headquartered in McKinney, Texas. With her 6+ years in marketing, Sandra voices SharePoint’s strengths to contribute to the platform’s positive image as well as raise user adoption and loyalty. Today Sandra advocates harnessing SharePoint’s non-trivial capabilities to create business-centric, industry-specific innovation and knowledge management solutions.


While Office 365 has already overcome the threshold of 100 million active users, it's not the limit yet. The recent 2017 Global SharePoint Survey by Hyperfish, Sharegate  and Nintex shows that at least 32% of organizations are planning their migration to Office 365, and 16% are already in the process. What's interesting is that another 32% of respondents confirm that Office 365 security concerns are the essential reason that keeps them from moving to the cloud.

With the release of Microsoft 365, which includes Office 365 and offers enterprise security as a part of the package, companies have even more options to kick-off their cloud collaboration. That's why we can expect even more doubts and talks about security of both cloud suites.

So are there true reasons for organizations to worry or are the security-related fears groundless? In this article, we will focus on different security aspects of Office 365 and Microsoft 365. We will answer the most frequent questions on Office 365 security to help you decide whether you can trust the Microsoft cloud or you'd rather stay with your on-premises deployment.

Office 365 Security

Office 365 security from the organizational perspective

Organizations that decide to move their on-premises deployments to the cloud can feel hazy. When a company gets used to having a full control of their deployments and data, they can hesitate about locating them in the cloud owned and managed by a third party even if it's a world-known software giant.

Let's answer several questions companies can have if they decide to start with Office 365.

What measures does Microsoft take to protect our Office 365 deployment and data?

Physically, your deployment is hosted in Microsoft Datacenters located in different parts of the world. Microsoft ensures multiple layers of physical security in their datacenters to prevent any attempts of physical breaks. Microsoft is also responsible for Office 365 to be up and running, as well as carries out regular functional and security updates of the suite.

Microsoft undertakes to keep your data inaccessible for third parties and to not use your data for advertising or marketing campaigns. However, you should understand that in certain extreme situations Microsoft will have to disclose your data. This can be the case of legal requirements. But be sure that your data will be disclosed only if Microsoft fails to contact your organization by all available means.

What are Office 365 security features we can leverage?

Microsoft sticks to the defense-in-depth principle to ensure robust protection of their cloud services. This principle supposes at least two categories of Office 365 security features:

  • Built-in security features
  • Customer controls

Microsoft sticks to their proprietary threat management strategy that includes a variety of threat protection mechanisms to keep organizations away from malware and viruses, phishing campaigns and spoofing, DDoS attacks and other types of security threats.

There are also multiple customer controls for every organization to set their unique security within Office 365 environment. This security layer covers such essential security aspects as safe access to the Office 365 services the organization is subscribed for, multi-factor authentication and role-based access control (RBAC) for end users, data loss prevention (DLP) features, message encryption and more.

Can we stay compliant if we use Office 365?

Compliance is one of the major pain points for organizations that consider adopting Office 365. In reality, this aspect is really ambiguous.  

At the moment, Office 365 meets the requirements specified in ISO 27001, European Union Model Clauses, the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and the Federal Information Security Management Act (FISMA).

Moreover, Microsoft offers a variety of certifications and attestations to help organizations comply with their national, regional, and industry-specific requirements. You can find a comprehensive list of certificates in the Office 365 Trust Center.  

The quickest way to see what Office 365 services and apps meet the highest level of compliance, you can consult the Microsoft Compliance Framework. Thus, you will see that SharePoint Online has a higher compliance category than, for example, Microsoft Teams or Planner, which means the latter still have blanks in their compliance. As for Microsoft Stream, this new Office 365 service isn't covered with compliance features at all and is currently on the auditing stage only.

All in all, it's worth cooperating on compliance issues directly with Microsoft or with your Office 365 consulting agency. That's exactly what Henkel did while implementing Office 365 solutions compliant with the General Data Protection Regulation (GDPR).

Office 365 security from the end user perspective

Office 365 offers a great collaboration flexibility, so employees can use the suite on various devices and from any locations. However, this freedom should be paired with the confidence that employees work in a protected environment, especially if they deal with sensitive data.

Can anybody access the content I am working on in Office 365?

Office 365 enables encryption of data both at rest and in transit, which means your content is ciphered and can't be read unless a malicious user has a decryption key. Office 365 uses advanced encryption protocols and technologies, including TLS/SSL protocols, Internet Protocol Security (IPSec) and Advanced Encryption Standard (AES).

We should highlight that the encryption of data at rest applies to enterprise-level apps and services. For example, OneDrive for Business will protect every file stored in it, while OneDrive for non-business users doesn't ensure content encryption. So avoid using your personal storage instead of corporate ones.

Can I use Office 365 on mobile devices securely?

The mobile security of Office 365 subscribers is provided via two major sets of tools: built-in mobile device management (MDM) features and Microsoft Intune.

MDM for Office 365 allows creating dedicated mobile policies to control access to organizational email and documents for supported mobile devices and apps. Thus, if you lose your device, Office 365 admins will be able to access the device remotely and remove sensitive data if there is any.

Organizations with complex mobile environments can use Microsoft Intune. Office 365 users can access it via a separate subscription, while Microsoft 365 offers it out-of-the-box. The service allows managing collections of mobile devices and controlling mobile access to Office 365 services, as well as enables mobile applications management (MAM).

How can I keep control over the shared data?

Data Leak Prevention policies will help to address this Office 365 security challenge. When Office 365 admins set DLP policies, automatic alerts will trigger every time you try to send emails or share documents containing sensitive information, be it financial data or personally identifiable information (PII): credit card numbers, social security numbers and health records. While you can always keep control over the data you share, admins can continuously monitor sensitive data flows and block them at any time.   

Office 365 security from the IT admin perspective

Finally, we come to IT specialists who are responsible for the overall enterprise security. To ensure employees' protected work within the suite, IT professionals can apply a variety of security methods and tools available in Office 365.

How can admins monitor the security of Office 365 deployment?

The admins of Office 365 business plans get access to the Office 365 admin center. Using the native capabilities of the admin center, IT specialists can manage a variety of security parameters within their Office 365 solutions, including:

  • User permissions
  • Security setting within Office 365 groups
  • Security updates
  • Access rights for external users
  • Security policies
  • Security reports on the security state across Office 365 apps and services, etc.

Additionally, Office 365 admins can access separate admin centers for major Office 365 apps and services, such as Exchange Online, SharePoint Online, Skype for Business and Yammer. This allows admins to set up granular security controls within each of the Office 365 components and have a detailed view of each of them.

How can admins discover Office 365 security weaknesses?

To keep track of the Office 365 security, IT admins can use a specialized analytical tool, Office 365 Secure Score. While analyzing the Office 365 environment, Secure Score allows Office 365 admins to:

  • Assess the current security state of the deployment and compare it with the established baselines.
  • Discover security issues that require admins' attention to prevent a potential Office 365 security breach.
  • Get recommendations on how to fix the detected issues and improve the overall security score.

Apart from that, Secure Score provides an overall risk assessment and shows the risk the company faces if they don't take any actions.

What measures should admins take to minimize the risk of cyberattacks?

We live in a cyber-insecure world where a great number of breaches happen every day, so it would be na've to expect that Office 365 won't attract attackers.

Currently, there is a visible predominance of brute-force attacks and email-related attacks that target Exchange Online service. In 2016, a massive Cerber ransomware attack hit millions of Office 365 users. Since May 2017, organizations all over the world report targeted KnockKnock attacks on their Exchange Online accounts.

Taking into consideration the trend, IT admins should pay particular attention to password policies, as well as enable and continuously monitor Office 365 email security. It can also be reasonable to conduct penetration testing at least once a year to check the safety of Office 365 environment.

Be proactive in your Office 365 security

Even though Office 365 is a cloud platform owned by Microsoft, you shouldn't think that Microsoft is the sole responsible for the security of your solution. Yes, the corporation puts great effort into implementing various security features that their customers can leverage. The overall cloud protection can hardly be questioned.

At the same time, your Office 365 solution belongs to you. So only you can take the full control of your Office 365 environment and users. Security is one of the aspects where being proactive is a must. Don't wait for a real attack to tilt your Office 365 deployment over, but take preventive measures. If you don't have internal resources to handle security challenges, you can always address them to an Office 365 consulting team that will help you to build a robust security tuned for your organization.

What are your Office 365 security concerns? What tools do you use and what technologies do prove to be more effective for your Office 365 deployment? You are welcome to share your experience in the comments below. 

Office 365 Consulting Services by ScienceSoft

Unleash the power of cloud collaboration in your organization. Our consultants will help you to make your Office 365 project a success!