Encryption is an important part of your file protection and information protection strategy. This article provides an overview of encryption for Microsoft 365. Get help with encryption tasks like how to set up encryption for your organization and how to password-protect Microsoft 365 documents.
For information about certificates and technologies like TLS, see Technical reference details about encryption in Microsoft 365.
For an overview of how to configure or set up encryption for your organization, see Set up encryption in Microsoft 365 Enterprise.
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
What is encryption, and how does it work in Microsoft 365?
The encryption process encodes your data (referred to as plaintext) into ciphertext. Unlike plaintext, ciphertext can't be used by people or computers unless and until the ciphertext is decrypted. Decryption requires an encryption key that only authorized users have. Encryption helps ensure that only authorized recipients can decrypt your content. Content includes files, email messages, calendar entries, and so on.
Encryption by itself doesn't prevent content interception. Encryption is part of a larger information protection strategy for your organization. By using encryption, you help ensure that only authorized parties can use the encrypted data.
You can have multiple layers of encryption in place at the same time. For example, you can encrypt email messages and also the communication channels through which your email flows. With Microsoft 365, your data is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).
Encryption for data at rest and data in transit
Examples of data at rest include files that you've uploaded to a SharePoint library, Project Online data, documents that you've uploaded in a Skype for Business meeting, email messages and attachments that you've stored in folders in your mailbox, and files you've uploaded to OneDrive for Business.
Examples of data in transit include mail messages that are in the process of being delivered, or conversations that are taking place in an online meeting. In Microsoft 365, data is in transit whenever a user's device is communicating with a Microsoft server, or when a Microsoft server is communicating with another server.
With Microsoft 365, multiple layers and kinds of encryption work together to secure your data. The following table includes some examples, with links to additional information.
|Kinds of Content||Encryption Technologies||Resources to learn more|
|Files on a device. These files can include email messages saved in a folder, documents saved on a computer, tablet, or phone, or data saved to the Microsoft cloud.||BitLocker in Microsoft data centers. BitLocker can also be used on client machines, such as Windows computers and tablets
Distributed Key Manager (DKM) in Microsoft data centers
Customer Key for Microsoft 365
|Windows IT Center: BitLocker
Microsoft Trust Center: Encryption
Cloud security controls series: Encrypting Data at Rest
How Exchange Online secures your email secrets
Service encryption with Customer Key
|Files in transit between users. These files can include Microsoft 365 documents or SharePoint list items shared between users.||TLS for files in transit||Data Encryption in OneDrive for Business and SharePoint Online
Skype for Business Online: Security and Archiving
|Email in transit between recipients. This email includes email hosted by Exchange Online.||Microsoft Purview Message Encryption with Azure Rights Management, S/MIME, and TLS for email in transit||Message Encryption
Email encryption in Microsoft 365
How Exchange Online uses TLS to secure email connections in Microsoft 365
|Chats, messages, and files in transit between recipients using Microsoft Teams.||Teams uses TLS and MTLS to encrypt instant messages. Media traffic is encrypted using Secure RTP (SRTP). Teams uses FIPS (Federal Information Processing Standard) compliant algorithms for encryption key exchanges.||Encryption for Teams|
Microsoft 365 Crypto Update
In late August 2023, Microsoft Purview Information Protection will begin to use Advanced Encryption Standard (AES) with 256-bit key length in Cipher Block Chaining mode (AES256-CBC). By October 2023, AES256-CBC will be the default for encryption of Microsoft 365 Apps documents and emails. You may need to take action to support this change in your organization. For more information, see Technical reference details about encryption.
What if I need more control over encryption to meet security and compliance requirements?
Microsoft 365 provides Microsoft-managed solutions for volume encryption, file encryption, and mailbox encryption in Microsoft 365. In addition, Microsoft provides encryption solutions that you can manage and control. These encryption solutions are built on Azure.
To learn more, see the following resources:
How do I...
|To do this task||See these resources|
|Set up encryption for my organization||Set up encryption in Microsoft 365 Enterprise|
|View details about certificates, technologies, and TLS cipher suites||Technical details about encryption|
|Work with encrypted messages on a mobile device||View encrypted messages on your Android deviceView encrypted messages on your iPhone or iPad|
|Encrypt a document using password protection. (Password protection isn't supported in a browser. Use desktop versions of Word, Excel, and PowerPoint for password protection.)||Add or remove protection in your document, workbook, or presentation. Choose an Add protection section, and then see Encrypt with Password.|
|Remove encryption from a document||Add or remove protection in your document, workbook, or presentation. Choose a Remove protection section, and then see Remove password encryption.|