Examine how Microsoft 365 Copilot uses Microsoft 365 isolation and access controls
The prior training unit indicated that access controls and tenant isolation are two key forms of data protection used not only by Microsoft 365, but also Microsoft 365 Copilot. Microsoft 365 Copilot implements access control by only accessing data that individual users have at least View permissions to access within Microsoft 365 services like SharePoint, OneDrive, and Teams. As for tenant isolation, Microsoft works continuously to ensure that the multitenant architectures of its cloud services support enterprise-level security, confidentiality, privacy, integrity, and availability standards. This training unit takes a closer look at how Microsoft 365 and Microsoft 365 Copilot take advantage of access controls and tenant isolation.
Microsoft 365 multitenant architecture
One of the primary benefits of cloud computing is the concept of a shared, common infrastructure across numerous customers simultaneously, leading to economies of scale. The scale and the scope of services provided by Microsoft make it difficult and noneconomical to manage Microsoft 365 with significant human interaction. Microsoft provides Microsoft 365 services through globally distributed data centers. Microsoft highly automated each data center, with few operations requiring a human touch or any access to customer data. Microsoft's staff supports these services and data centers using automated tools and highly secure remote access.
Microsoft 365 includes multiple services that provide important business functionality and contribute to the entire Microsoft 365 experience, including Microsoft 365 Copilot. Each of these services is self-contained and designed to integrate with one another. The Microsoft 365 design is based on the following principles:
Service-oriented architecture. Designing and developing software in the form of interoperable services providing well-defined business functionality.
Operational security assurance. A framework that incorporates the knowledge gained through various capabilities that are unique to Microsoft, including:
- Microsoft Security Development Lifecycle.
- Microsoft Security Response Center.
- Deep awareness of the cybersecurity threat landscape.
Microsoft 365 services inter-operate with each other. However, Microsoft designed them so that organizations can deploy and operate them as autonomous services, independent of each other. Microsoft segregates duties and areas of responsibility for Microsoft 365 to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. Microsoft 365 teams include defined roles as part of a comprehensive role-based access control mechanism.
Tenant isolation
Microsoft implements security measures to prevent the actions of one tenant from affecting the security or service of another tenant or accessing the content of another tenant. The industry term for keeping tenants separated like this is tenant isolation. Tenant isolation is the logical separation of each customer's data and services within the Microsoft 365 multitenant architecture. The two primary goals of maintaining tenant isolation in a multitenant environment are:
- Preventing leakage of, or unauthorized access to, customer data across tenants.
- Preventing the actions of one tenant from adversely affecting the service for another tenant
Some key aspects of Microsoft 365 tenant isolation include:
Separate infrastructure. Each tenant gets its own isolated portion of the underlying Azure infrastructure for core services like Exchange Online and SharePoint Online. This design separates data at a foundational level.
Data segregation. Database schema, encryption, and access control mechanisms keep customer data logically separate. Microsoft doesn't share data across tenants.
Authentication boundaries. Users can only access their own tenant with credentials verified against Microsoft Entra ID. This design prevents cross-tenant access.
Note
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Service customization. Settings, configurations, and customization apply only to the specific tenant. Tenants can't impact each other's environments.
Compliance controls. Microsoft compliance certifications and controls like data encryption apply at the individual tenant level.
Monitoring and diagnostics. Microsoft isolates tenant analytics and logs to provide visibility only into a customer's own data and service usage.
Regular validation. Microsoft employs audits, penetration testing, and strict access reviews to continually validate tenant isolation protections.
Tenant isolation enables customers to securely customize Microsoft 365. They can do so knowing their company data and settings remain separate from other organizations on the shared infrastructure.
Microsoft implements multiple forms of protection throughout Microsoft 365 to prevent customers from compromising Microsoft 365 services and applications. This protection also prevents customers from gaining unauthorized access to the information of other tenants or the Microsoft 365 system itself. It includes robust logical isolation controls that provide threat protection and mitigation equivalent to that provided by physical isolation alone. The following protections provide a sample of the isolation controls found in Microsoft 365:
- Logical isolation of customer data within each tenant for Microsoft 365 services is achieved through Microsoft Entra authorization and role-based access control.
- SharePoint Online provides data isolation mechanisms at the storage level.
- Microsoft uses rigorous physical security, background screening, and a multi-layered encryption strategy to protect the confidentiality and integrity of customer data. All Microsoft 365 datacenters have biometric access controls, with most requiring palm prints to gain physical access. In addition, all U.S.-based Microsoft employees must successfully complete a standard background check as part of the hiring process. For more information on the controls used for administrative access in Microsoft 365, see Microsoft 365 Account Management.
- Microsoft 365 uses service-side technologies that encrypt customer data at rest and in transit, including BitLocker, Transport Layer Security (TLS), and Internet Protocol Security (IPsec). For specific details about encryption in Microsoft 365, see Data Encryption Technologies in Microsoft 365.
Together, these protections provide robust logical isolation controls that provide threat protection and mitigation equivalent to that provided by physical isolation alone.
Data isolation and access control
Microsoft Entra ID and Microsoft 365 use a highly complex data model that includes tens of services, hundreds of entities, thousands of relationships, and tens of thousands of attributes. At a high level, Microsoft Entra ID and the service directories are the containers of tenants and recipients kept in sync using state-based replication protocols. Besides the directory information held within Microsoft Entra ID, each of the service workloads have their own directory services infrastructure, as shown in the following diagram.
Within this model, there’s no single source of directory data. Specific systems own individual pieces of data, but no single system holds all the data. Microsoft 365 services cooperate with Microsoft Entra ID in this data model. Microsoft Entra ID is the "system of truth" for shared data, which is typically small and static data used by every service. The federated model used within Microsoft 365 and Microsoft Entra ID provides the shared view of the data.
Microsoft 365 uses both physical storage and Azure cloud storage. For example, Exchange Online uses its own storage for customer data. SharePoint Online uses both SQL Server storage and Azure Storage, hence the need for extra isolation of customer data at the storage level.
Knowledge check
Choose the best response for the following question.