Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides an overview of Microsoft 365 encryption capabilities relevant to Australian Government organizations. Its purpose is to help government organizations to increase their data security maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Encryption is an important part of your information protection strategy and needs to be understood in order ensure that data is adequately protected. Microsoft 365 employs multiple layers of encryption. Some of these are innate, such as BitLocker encryption in Microsoft datacenters and SSL/TLS encryption for communications between client and servers. Other encryption capabilities can be enabled by administrators to further extend protection.
Australian Government encryption requirements
PSPF includes requirements for the encryption of information during transmission. These requirements can be found in section 9.3 of the Protective Security Policy Framework (PSPF). A subset of these requirements are:
| Classification | Requirements |
|---|---|
| PROTECTED | Use PROTECTED (or higher) network, otherwise encryption required. |
| OFFICIAL: Sensitive | Use OFFICIAL: Sensitive (or higher) network. Encrypt if transferred over public network infrastructure or through unsecured spaces. |
| OFFICIAL | Encryption recommended, particularly for information communicated over public network infrastructure. |
Microsoft 365 services provide encryption for data at rest in Microsoft 365 platforms and in transit between Microsoft 365 and endpoints by default. These default configurations use Advanced Encryption Standard (AES) with 256-bit key length in Cipher Block Chaining mode (AES256-CBC). These capabilities are in line with the following ISM requirement:
| Requirement | Detail |
|---|---|
| ISM Security Control: ISM-1769 (ISM March 2025) | When using AES for encryption, AES-128, AES-192 or AES-256 is used, preferably AES-256. |
For more information on the cryptography used by Microsoft 365, see Encryption.
Extending encryption capabilities
Optional methods that Australian Government organizations can use to extend Microsoft 365's default encryption capabilities include:
- Enforcing Transport Layer Security (TLS) for security classified email
- Applying Azure Rights Management encryption to files and email
- Encrypting email with Microsoft Purview Message Encryption
The following table describes the optional methods of extending Microsoft 365's innate encryption capabilities, along with links to relevant sections of this guide:
| Requirement category | Method of achieving |
|---|---|
| Encryption during transmission | TLS Encryption is applied to files and emails in Microsoft 365 during transmission as well as during interactions between client devices and Microsoft 365 services. However, for email transmission, TLS is opportunistic and not enforced. If both sender and recipient email platforms support TLS, then email is transferred securely. If a recipient emails service doesn't support TLS, then email might be sent in unencrypted form, resulting in higher risk of content interception. By Enforcing TLS Encryption for security classified email we can configure Exchange to ensure that security classified items aren't sent in situations where receiving servers don't support TLS encryption. - Sensitivity label encryption can be configured to apply to both files and emails. After items are encrypted, encryption is in place during transmission, ensuring that transmission encryption requirements are met. - Microsoft Purview Message Encryption (PME) allows for the creation of rules to apply encryption to email and attachments during transmission. This encryption is seamless for email between Microsoft 365 environments and allows us to extend protection to non-Microsoft email platforms by directing recipients to a Custom branded encryption portal. |
| Ensure need-to-know | Sensitivity label encryption allows for the configuration of users or groups that have the ability to access encrypted information. This allows us to better control need-to-know by blocking unauthorized user access. Label encryption also allows for the application of permissions to items, including the ability to restrict printing, which furthers ability to restrict access to information. - Microsoft Purview Message Encryption ensures that only specified recipients have the ability open encrypted emails and their attachments. |
| Ensure security clearance | Sensitivity label encryption allows us to associate the ability to access encrypted items with security groups. These groups can be configured, either manually or dynamically, to contain only users with appropriate security clearances. This approach can also be extended to guest users as guests who have had their clearances assessed could be included in a group of authorized users. |
The remaining articles in this section TLS encryption and Sensitivity label encryption will further explore implementation of these capabilities.