Microsoft 365 isolation controls

Microsoft continuously works to ensure that the multitenant architecture of Microsoft 365 supports enterprise-level security, confidentiality, privacy, data integrity, availability, and meets local and international standards. The scale and the scope of services provided by Microsoft make it difficult and impractical to manage with significant human interaction. Microsoft 365 services are provided through globally distributed data centers, each highly automated with few operations requiring a human touch or any access to customer data. Our staff supports these services and data centers using automated tools and highly secure remote access.

Microsoft 365 is composed of multiple services that provide important business functionality and contribute to the overall experience. Each of these services is self-contained and designed to integrate with one another. Microsoft 365 is designed with the following principles:

Microsoft 365 services inter-operate with each other but are designed and implemented so they can be deployed and operated as autonomous services, independent of each other. Microsoft segregates duties and areas of responsibility for Microsoft 365 to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. Microsoft 365 teams have defined roles as part of a comprehensive role-based access control mechanism.

Tenant isolation

One of the primary benefits of cloud computing is the concept of a shared, common infrastructure across numerous customers simultaneously, leading to economies of scale.

The two primary goals of maintaining tenant isolation in a multitenant environment are:

  • Preventing leakage of, or unauthorized access to, customer data across tenants; and
  • Preventing the actions of one tenant from adversely affecting the service for another tenant

Microsoft online services were designed with the assumption that all tenants are potentially hostile to all other tenants, and we have implemented security measures to prevent the actions of one tenant from affecting the security or service of another tenant, or accessing their content.

Multiple forms of protection have been implemented throughout Microsoft 365 to prevent the compromising of services or applications, or gaining unauthorized access to the information of other tenants or the systems themselves, including:

  • Logical isolation of customer data within each tenant for Microsoft 365 services is achieved through Microsoft Entra authorization and role-based access control.
  • Isolation of data at the storage level for services such as SharePoint Online.
  • Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer data. All Microsoft 365 datacenters have biometric access controls, with most requiring palm prints to gain physical access. In addition, all U.S.-based Microsoft employees are required to successfully complete a standard background check as part of the hiring process. For more information on the controls used for administrative access in Microsoft 365, see Microsoft 365 Account Management.
  • Microsoft 365 uses service-side technologies that encrypt customer content at rest and in transit, including BitLocker, per-file encryption, Transport Layer Security (TLS) and Internet Protocol Security (IPsec). For specific details about encryption in Microsoft 365, see Data Encryption Technologies in Microsoft 365.

Together, the above-listed protections provide robust logical isolation controls that provide threat protection and mitigation equivalent to that provided by physical isolation alone.

Resources