Security and Compliance in Microsoft Office 365


Microsoft Office 365 is a popular cloud service from Microsoft and the clear market leader ahead of Google G-Suite, Apple iWork and Zoho Office Suite. Office 365 is often referred to as a classic example of a Software-as-a-Service offering for businesses. It is a comprehensive suite of applications that includes the classics Outlook, Word, Excel and PowerPoint as well as the cloud storage OneDrive for Business and collaboration tools such as SharePoint and Microsoft Teams.

In 2017, for the first time, Microsoft made more money with O365 than with Microsoft Exchange – a clear sign of how strong the demand for the cloud has become and where the future lies.

Despite the strong demand for Office 365, there are good reasons to address Office 365 security and compliance issues:

  • Headlines about successful cyberattacks on Office 365 accounts are increasing (e.g. ransomware and phishing attacks)
  • Compliance and data protection requirements are changing (see GDPR) and at the same time more and more sensitive data is being moved to the cloud
  • The data in Office 365 is increasingly accessed with mobile devices

In the paragraphs that follow, I’d like to discuss what Microsoft does to keep your information secure in Office 365, the security tools that are provided to you, and the responsibilities that you have to protect your data and users and be compliant.

Microsoft’s security measures for Office 365

With SaaS services, many security responsibilities lie with the cloud provider. The exact degree to which security responsibilities in SaaS delivery models are shared between the cloud provider and the customer can be seen in the so-called shared responsibility model, which I have already presented in a previous blog article

Microsoft describes its basic security measures on three levels as follows:

Physical layer: data centre and network security

  • The Office 365 data centres have very strict physical access controls (e.g. biometric scanners, 24/7 security and video surveillance)
  • Special structural measures were taken to survive natural disasters, such as earthquakes or fire
  • Perimeter protection is very high due to controlled devices at the network edge
  • The communication with the internal networks is reduced to a minimum
  • All unnecessary ports and protocols are blocked
  • Critical back-end servers are physically separated from the network

Logical layer: security of host machines and applications

  • Host servers are mainly managed automatically to minimize human error
  • For personnel with access to host machines, background checks are performed without exception
  • For administrators, there are fine-grained access controls in place
  • Work on host machines is fully documented and audited
  • Anti-malware software is used across the board
  • There is a strict change management process for all changes in the production environment

Data layer: data security in a multi-tenant environment

  • Your organization is the sole owner of a specific cloud instance of the O365 cloud service (so-called tenant)
  • Tenants are independent containers between which there is no connection
  • The Azure Active Directory isolates customer data and identity information from mixing

Security features in the hands of the customer

Office 365 is equipped with a variety of security features that allow you to individually control the security and compliance of your Office 365 tenant. Here I have summarized the most important ones for you:

Data integrity and encryption in O365

Rights Management Service (RMS)RMS allows you to protect files and email across multiple devices, inside and outside your organization using encryption, identity and authorization policies. This enables you to solve many business challenges, such as ensuring that confidential documents like a financial report can only be shared between members of the finance department and management team.
Secure Multipurpose Internet Mail Extension (S/MIME)S/MIME enables users to use public-key email encryption and digital signatures.
Office 365 Message Encryption (OME)OME encrypts messages sent to internal or external recipients. It allows your users to send encrypted messages to any e-mail address.
Anti-malware/anti-spam controlsOffice 365 has built-in malware and spam filters for all mailboxes hosted in Microsoft Exchange. Administrators have control over filter settings

End-user access control in O365

Single-Sign-On SecurityAzure Active Directory can connect to the local Active Directory or other directory stores, allowing users to authenticate as usual.
Multi-Factor-Authentication (MFA)Office 365 has a built-in multi-factor authentication solution with SMS notification, phone call or notification on your app.
Mobile Device Management (MDM)Mobile Device Management for Office 365 lets you secure and manage mobile devices used by your users. If lost or stolen, they can be remotely deleted.

Compliance controls in O365

Data Loss Prevention (DLP)DLP scans your services in Office 365 and detects sensitive data, such as credit card numbers to make your users aware of risks or even to block content from being sent.
Auditing and Retention PoliciesAs part of information management, auditing policies provide insight into how information is used in the organization. With tags and retention policies, emails and documents can be classified and retained for specified periods.
eDiscoveryeDiscovery is used to preserve evidence in case of legal proceedings. With this service, you can identify, secure and export your users’ information across a variety of O365 services.

Additional security by using a Cloud Access Security Broker

Despite the multitude of security and compliance functions of Office 365, the use of a so-called Cloud Access Security Broker (CASB) is recommended. CASBs is software that sits between users and Office 365 applications and monitors, logs and controls data flows. This enables you to extend your internal IT security policies to Office 365 applications in the cloud.


In the future, there will be no way around cloud-based office software such as Office 365.  After all, it will make your business more collaborative, mobile, and therefore more productive. If you decide to consume the Office 365 applications as a Service over the Internet and thus outsource many responsibilities to Microsoft, it is nevertheless imperative to manage your tenant properly to protect your data and users in the best possible way. You are well-advised to bring onboard experts who have an Office 365 security concept that is based on international cloud security standards. Please contact us if you need assistance with your Office 365 implementation project.

Picture of Dennis Kionga

Dennis Kionga


Dennis is managing director at Cloud Cape, an IT services company that implements and operates future-proof IT security and cloud solutions. Previously, he worked as Business Development Manager in the Lufthansa Group, where he took responsibility for the global sales of outsourcing solutions for airlines. He completed his studies at the University of Mannheim and earned a Master of Laws (LL.M.) and a postgraduate certificate in project management from the University of Cape Town. During his career he had longer stays abroad in Portugal, the Czech Republic and South Africa.


Public Cloud Services

Picture of Dennis Kionga

Dennis Kionga


Über Cloud Cape

We help companies create transparency in their own IT landscape and accompany them on the path to secure digital transformation. As a ‘cloud-first’ company, we specialize in cloud solutions and cloud security.

Follow us