Data Protection – Service Level information and Public resources

Published May 23 2021 11:03 AM 33 Views

I have engaged with many clients on the subject of data protection.  Generally this is an ask regarding a specific workload but it becomes clear quickly that it is really a more holistic need for a multi layered solution.  The below is a list of resources I have complied that were the most useful to clients to answer general questions around data protection in M365.


Service Trust Portal


Microsoft has extensive documentation in the Service Trust Portal under Privacy.  The Online Services Data Protection Addendum (DPA), Online Services Terms (OST) and HIPAA Business Associate Agreement (BAA) are all discussed in depth.

Trust DocumentsData Protection

Contains information about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.  The portal includes whitepapers and guides to assist an organization in meeting regulatory compliance and design solutions in a way to protect their data.  Some examples of these documents are below:











Of note is the ‘Data Classification and Security Label Taxonomy’, this document was published by the AIP Product Group to help a client organization form a design approach to designing a label taxonomy.


Microsoft cloud IT architecture resources – (infographics)

Microsoft Cloud Security Architecture (PDF Download)

The security of your Microsoft cloud services is a partnership between you and Microsoft. What IT architects need to know about security and trust in Microsoft cloud services and platforms.


Office 365 Information Protection for GDPR (PDF Download)

This solution demonstrates how to protect sensitive data that is stored in Office 365 services. It includes prescriptive recommendations for discovering, classifying, protecting, and monitoring personal data. This solution uses General Data Protection Regulation (GDPR) as an example, but you can apply the same process to achieve compliance with many other regulations.


File Protection Solutions in Office 365 (PDF Download) <- my personal favorite as the most useful

O365 provides a range of capabilities to protect your data. This document describes capabilities for protecting files so you can choose the best options to protect your organization s data


Cybersecurity Reference Architecture (MCRA)

The Microsoft Cybersecurity Reference Architecture describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities.


Configure Teams with three tiers of protection

This article provides recommendations for configuring SharePoint Online team sites and file protection that balances security with ease of collaboration. This article defines four different configurations, starting with a public site within your organization with the most open sharing policies. Each additional configuration represents a meaningful step up in protection, but the ability to access and collaborate on resources is reduced to the relevant set of users. Use these recommendations as a starting point and adjust the configurations to meet the needs of your organization.

The configurations in this article align with Microsoft's recommendations for three tiers of protection for data, identities, and devices:

  • Baseline protection
  • Sensitive protection
  • Highly confidential protection

Policy recommendations for securing SharePoint sites and files

This article describes how to implement the recommended identity and device-access policies to protect SharePoint Online and OneDrive for Business. This guidance builds on the Common identity and device access policies.

SharePoint Online External Sharing overview

The external sharing features of Microsoft SharePoint let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). You can also use external sharing to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription. Planning for external sharing should be included as part of your overall permissions planning for SharePoint in Microsoft 365. This article describes what happens when users share, depending on what they're sharing and with whom.

Azure Information Protection Deployment Acceleration Guide

The Information Protection Customer Experience Engineering Team has developed this guide to assist customers with the acceleration of AIP from a business perspective.  While there is a fair amount of reference to technical details in this document, it is not intended to be an end-to-end project plan for full deployment. Rather, it is a guide to help business decision makers and IT implementers understand the best ways to deploy Azure Information Protection and to avoid mistakes that could cause delays in rollout.

Azure Information Protection End User Adoption Guide (PDF Download)

Deploying a Classification and Labeling solution is often as much a PR effort as it is a technical effort.  This guide is designed to help create an adoption success plan which includes consideration of the end-to-end information protection process to create organization preparation for deployment including  developing a communication and awareness plan for end users to identifying power users who can help end users in adopting best practices for information protection. Document includes sample FAQ’s, client notification emails and a suggest T minus plan for communication.

Azure Information Protection documentation

Control and help secure email, documents, and sensitive data inside and outside your company walls. From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection, no matter where it's stored or who it's shared with.

Protecting files in the cloud with Azure Information Protection – IT Showcase Microsoft Case Study

Microsoft migrated from Active Directory Rights Management Services to Azure Rights Management, the protection technology used by Azure Information Protection. Azure Information Protection uses encryption, identity, and authorization policies in Azure Rights Management to help secure files and email in the cloud. It enables protected sharing in Office 365 on a variety of platforms including Windows, Mac OS, iOS, and Android.

3 strategies for building an information protection program – MS Case Study

Data protection and tools and Microsoft best practices from internal roll out

Security and Microsoft Teams

Microsoft Teams, as part of the Microsoft 365 and Office 365 services, follows all the security best practices and procedures such as service-level security through defense-in-depth, customer controls within the service, security hardening and operational best practices




Additional Resources:

2020 Ignite Information Protection Related Sessions:


Ignite 2019

80+ Sessions on Information Protection, top 5 recommended:

2017 Ignite


Microsoft Information Protection and Compliance Webinar Page

Here you will find details of our upcoming webinars as well as resources (recorded sessions and uploaded decks) for past webinars. This page is updated often.

Additional Information II:

This is extra info that is not necessarily critical path but it is a good sampling of available info that might be of interest.  They include Insider Risk and also discussion about the AIP superuser role which you would use to allow a 3rd party email gateway (as an example) to open and inspect AIP protected data.


Advanced MIP features:

Version history
Last update:
‎May 23 2021 11:03 AM
Updated by: