In running the Office 365 service globally, we know that security, privacy and compliance are imperatives for customers, and that’s why these remain unwavering priorities for us. We recognize as a cloud service provider that providing customers with visibility into actions taken on their content and control over access to their content in the cloud are essential to earning and maintaining their trust, and so transparency and control are ongoing focus areas for our security investments in Office 365.

Today, we are announcing three new capabilities that significantly enhance customers’ transparency and control of their data in Office 365. These new capabilities give customers greater visibility into actions taken related to their data, and enhanced control over access to their content residing in Office 365.

Security and compliance signals

We currently provide customers with a range of logs on their user interactions with content in Office 365. This provides customers with visibility that is important for meeting business policies, as well as regulations. Today we are announcing the expansion of these logs to include the majority of user, admin and policy related actions across Exchange Online and SharePoint Online in Office 365. We are also introducing a new Office 365 Management Activity API through which customers and partners can use the logs as Security and Compliance signals within solutions that provide monitoring, analysis and data visualization.

The solutions built with this API will provide organizations with greater visibility into actions taken on their content, as well as enhanced security, for example, as an input into a Security Incident and Event Management (SIEM) system. Several Office 365 partners have already built early solutions using this new API as part of a pre-release program. We will release the API more broadly this summer as part of a private preview program. Interested customers and partners can sign up here to be included in the preview program. Learn more in this blog.

Customer Lockbox

For the purpose of maximizing data security and privacy for Office 365 customers, we have engineered the service to require nearly zero interaction with customer content by Microsoft employees.  Nearly all service operations performed by Microsoft are either fully automated so there is no human interaction, or the human involvement is abstracted away from Office 365 customer content. As a result, there are very few activities requiring any direct involvement by a Microsoft engineer. But, we didn’t want to stop there. We are taking the next step by putting the customer in explicit control over access to their content in the very rare instances when a Microsoft engineer does to log into the Office 365 service.

This new capability, Customer Lockbox for Office 365, provides unprecedented customer control over content residing in Office 365, so customers can be assured that their content will not be accessed by Microsoft employees without their explicit approval. It brings customers into the access approval loop, requiring the customer to provide explicit approval of access to their content by a Microsoft employee for service operations. The Customer Lockbox feature will be enabled in Office 365 for Exchange Online by the end of this year, and for SharePoint Online in the first quarter of 2016. You can learn more about Customer Lockbox in this blog.

Advanced encryption for email

Today, Office 365 encrypts customer content at rest and in transit. In addition, Office 365 has a number of customer-controlled encryption solutions such as Rights Management, S/MIME and Office 365 Message Encryption.  In 2014, in addition to BitLocker for drive level encryption, we implemented content level encryption with per-file encryption for documents in SharePoint Online and OneDrive for Business.

In the next few months, we will add a similar content level encryption for email in Office 365. Implementing this feature will increase the separation of server administration from the data stored in Office 365, resulting in an added layer of security. This new layer of content level encryption uses keys that are protected using hardware security modules certified to FIPS 140-2 Level 2.  This new advanced encryption for email will be provided in Office 365 by the end of 2015.

We are already working on additional security features that build upon the content-level encryption enhancements. In 2016, we expect to enable customers to generate and control their own keys for encrypting content in Office 365.

Additional investments going forward

Today’s announcements are just part of our continued investments in security, privacy and compliance capabilities within Office 365.  Recently, we also announced new security controls such as advanced threat protection for email, new Data Loss Prevention capabilities in SharePoint Online and mobile device management for Office 365. Our work is ongoing and you can expect much more from us in this area moving forward. For more information about our trust principles and how we manage security, privacy and compliance, please visit the Office 365 trust center at


Category: News; Office 365
Published: 4/22/2015 16:35