Customer Data Confidentiality in Microsoft Office 365

By Jeff Lanham| July 21, 2015

As more organizations consider moving some (or all) of their information technology out of their own datacenters or “closets” into Microsoft's cloud services – Office 365 and Azure, there are a host of considerations that need to be addressed. From a functional perspective, Exchange Online, SharePoint Online, and the rest of the back-end products in the Office 365 suite are continually improving, and many of the technical caveats have been addressed. Microsoft is truly making good on their “cloud first” promise, and for some time now, enhancements to Exchange, SharePoint, and other suite products are being rolled out to Office 365 Online before they are even made available for on-premises deployments.

The Last Frontier

For many types of organizations, the legal, compliance, security, and confidentiality issues are the “last frontier.” Even if you believe that Microsoft's cloud offering has the functional and technical capabilities to meet your needs, you still have to trust that Microsoft will keep your data safe, secure and confidential, not just hackers and terrorists, but also from the government and even Microsoft itself. To its credit, Microsoft has been doing a better job of opening up about key aspects of its Office 365 solutions, and the Office 365 Trust Center is a great resource for understanding how your data will be protected. In most cases, your ‘company jewels’ will be safer and more secure in the Microsoft cloud than they would be on your own internal servers, and that is good enough for many types of organizations.

But what about scenarios where you need absolute assurance that no unauthorized parties (including Microsoft support engineers) will have access to your most sensitive data? Law firms are a good example: confidential documents and correspondence are subject to “attorney-client privilege,” and disclosure to anyone (including Microsoft support engineers) constitutes a “breach of privilege” that can have significant negative consequences for both client and attorney. Does Office 365 provide the level of confidentiality required to support such scenarios?

New Tools for Managing Sensitive Data

The answer is: almost, but not quite yet. While your customer data is encrypted in Office 365, and there is a robust lockbox process in place that ensures no one at Microsoft has open access to your data, you still can't be entirely sure when or why it's being accessed. The good news is that new capabilities are coming to Office 365 that will ensure fully-compliant privacy and confidentiality of your sensitive data. Microsoft recently announced Customer Lockbox, which will provide customers with the ability to explicitly approve or reject any request for access to their data, whether for support purposes or whatever. Additionally, the Enhancing transparency and control for Office 365 customers blog article indicates that, in 2016, Microsoft expects to enable customers to generate and control their own keys for encrypting content in Office 365. Finally, the new Office 365 Management Activity API will enable custom reports and push notifications for customer data access events.


Microsoft is clearly taking the need to provide maximum security, confidentiality and transparency for its customers' sensitive data in Office 365 seriously. If you have previously written off Office 365 due to privacy concerns, it might be time to reconsider. As always, BDO Digital stands ready to help you evaluate Office 365 (and many other potential options), so you can make the best decisions about what's right for your business, now and in the future.

Leveraging opportunities in the cloud