With Microsoft, you are the owner of your customer data. We use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your data with our advertiser-supported services, nor do we mine it for marketing or advertising. And if you leave our services, we take the necessary steps to ensure your continued ownership of your data.
When you create content in Microsoft Office 365 or import content into Office 365, what happens to it? The answer is best given as an illustration using a fictitious customer, Woodgrove Bank (WB).
WB just purchased Office 365, and they are planning on using Exchange Online, SharePoint Online, and Skype for Business. They will initially configure a hybrid configuration for Exchange Online and will migrate Exchange mailboxes first. Then, they will upload their document libraries to SharePoint Online.
WB begins their cloud migration by choosing the appropriate network configuration for their organization. After their network design has been chosen and implemented, they configure a hybrid environment with Office 365. This is the first time that customer data is touched by any Microsoft cloud service (specifically, at this point WB can optionally synchronize their internal Active Directory with Azure Active Directory).
WB has decided to migrate the data using the online mailbox move process. The Exchange data migration is started by running the Online Move Mailbox Wizard. The mailbox move process is as follows:
- The Exchange Online Mailbox Replication Service (MRS) connects securely to the customer's on-premises Exchange server running client access services.
- MRS asynchronously transfers the mailbox data via HTTPS to a client access front-end (CAFÉ) server in Office 365.
- The CAFÉ server transfers the data via HTTPS to the Store Driver on a Mailbox server in a database availability group in the appropriate datacenter.
As with all Exchange Online servers, the transferred mailbox data is stored in a mailbox database which is hosted on a BitLocker-encrypted storage volume. Once the contents of a mailbox have been completely copied to a new mailbox in Exchange Online, the original (source) mailbox is soft-deleted, the user's Active Directory security principle is updated to reflect the new mailbox location, and the user is redirected to communicate with Office 365 for all mailbox access. Had WB opted for a PST migration, the data would have also been encrypted prior to ingestion.
During the mailbox data transfer and upon completion, an audit trail of the mailbox move is logged on servers in both the source on-premises Exchange organization and on servers in Office 365. MRS will also produce a report of the mailbox move and its statistics.
Once WB’s data is stored in a mailbox in Exchange Online, it will be replicated and indexed and sitting at rest in an encrypted state, with access control limited to the designated user and anyone else granted permission by WB’s administrator.
Next, WB wants to upload some documents to SharePoint Online. The process starts by creating one or more sites in SharePoint Online to hold the documents. All client communication with SharePoint Online is done via HTTP secured with TLS. When uploading one or more documents to SharePoint Online, the documents are transmitted using standard HTTP PUT with TLS 1.2 encryption used between the client and SharePoint Online server. Once the document has been received by the SharePoint Online server, it is stored in an encrypted state. The document is then replicated to another local server and to remote servers, where it is also stored in an encrypted state.
Next, WB wants to upload some documents to OneDrive for Business. The process begins by opening the OneDrive for Business folder on the client and copying the files into the folder. Once the files have been copied, a synchronization process copies the data to the user's cloud-based OneDrive for Business folder.
Once the document has been received by the OneDrive for Business server, it is stored in an encrypted state. The documents are then replicated to another local server and to remote servers, where they are also stored in an encrypted state.
At this point, WB has on-boarded to Exchange Online and SharePoint Online, and now want to start using Skype for Business for online meetings and other features. Occasionally, meeting participants will upload files to the meeting for sharing. When a file is uploaded to Skype for Business, it is transferred from the client to the Skype for Business server using encrypted communications. Once the document has been uploaded to the Skype for Business server, it is stored in an encrypted state.
As part of our ongoing transparency efforts, and to help you fully understand how your data is processed and protected in Office 365, we have published a library of whitepapers that describe various architectural and technological aspects of our service. These whitepapers, along with other content, are aligned to things that we do with customer data.
Going back to the example, WB’s data (like all tenant data in our multi-tenant environment) is:
- Isolated logically from other tenants
- Accessible to a limited, controlled, and secured set of users, from specific clients:
- Encrypted in-transit and at-rest
- Secured for access using RBAC-based access controls
- Replicated to multiple servers, storage endpoints and datacenters for redundancy
- Protected against network (DoS, etc.), phishing, and other attacks
- Monitored for unauthorized access, excessive resource consumption, availability
- Audited for activities, such as view, copy, modify, and delete
- Indexed for faster access and eDiscovery tools and processes
Each of the above links will take you to content in our Office 365 risk assurance documentation library that describes things like how we isolate one tenant’s data from another’s, how we encrypt and replicate your data, and how your data is protected against and monitored for unauthorized access. All the documents in our library are living documents that are updated as needed. The aka.ms URL won't change, so you'll always be able to download the latest version using the same URL.
We welcome your input and feedback on these documents, and any other topics you would like us to consider publishing. You can reach us directly at cxprad@microsoft.com.
-Scott
