Share via


Network security overview

How do Microsoft online services secure the network boundary?

Microsoft online services employ multiple strategies for securing its network boundary, including automated detection and prevention of network-based attacks, specialized firewall devices, and Exchange Online Protection (EOP) for anti-spam and anti-malware protection. In addition, Microsoft online services separate their production environments into logically isolated network segments, with only necessary communication permitted between segments. Network traffic is secured using additional network firewalls at boundary points to help detect, prevent, and mitigate network attacks.

How do Microsoft online services defend against DDoS attacks?

Microsoft's large internet presence insulates it from the negative effects of many distributed denial-of-service (DDoS) attacks. Distributed instances of each Microsoft online service and multiple routes to each service limit the impact of DDoS attacks against the system. This redundancy improves Microsoft online services' ability to absorb DDoS attacks and increases the amount of time available to detect and mitigate DDoS attacks before they impact service availability.

In addition to Microsoft's redundant system architecture, Microsoft uses sophisticated detection and mitigation tools to respond to DDoS attacks. Special-purpose firewalls monitor and drop unwanted traffic before it crosses the boundary into the network, reducing stress on systems located inside the network boundary. To further protect our cloud services, Microsoft utilizes a DDoS defense system deployed as part of Microsoft Azure. The Azure DDoS defense system is designed to withstand attacks from the outside and from other Azure tenants.

Microsoft's online services are regularly audited for compliance with external regulations and certifications. Refer to the following table for validation of controls related to network security.

Azure and Dynamics 365

External audits Section Latest report date
SOC 1
SOC 2
SOC 3
VM-1: Security event logging
VM-3: Intrusion detection and monitoring
VM-4: Malicious events investigation
VM-6: Vulnerability scanning
VM-7: Network device configuration
VM-8: Penetration testing
VM-9: Network device security event logging
VM-13: Network device vulnerability mitigation
May 20, 2024

Microsoft 365

External audits Section Latest report date
FedRAMP (Office 365) SC-5: Denial of service protection
SC-7: Boundary protection
SI-2: Flaw remediation
SI-3: Malicious code protection
SI-8: Spam protection
July 31, 2023
SOC 1 CA-27: Vulnerability Scanning January 23, 2024
SOC 2 CA-27: Vulnerability Scanning
CA-45: Anti-malware
January 23, 2024