What email address or phone number would you like to use to sign in to Docs.com?
If you already have an account that you use with Office or other Microsoft services, enter it here.
Or sign in with:
Signing in allows you to download and like content, which the author will be aware of.
Embed code for: Office 365 Administrative Access Controls
Select a size
This document provides details on Microsoft’s approach to administrative access and the controls that are in place to safeguard the services and processes in Office 365.
© 2016 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. This document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement. Office 365 Administrative Access Controls Published: September 9, 2016 Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 1 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Introduction Microsoft has invested heavily and accordingly in systems and controls that automate most Office 365 operations while intentionally limiting Microsoft’s access to customer content. Humans govern the service, and software operates the service. This enables Microsoft to manage Office 365 at scale, as well as manage the risks of internal threats to customer content such as malicious actors, the spear-phishing of a Microsoft engineer, and so forth. By default, Microsoft engineers have zero standing administrative privileges and zero standing access to customer content in Office 365. A Microsoft engineer can have limited, audited, and secured access to a customer’s content for a limited amount of time, but only when necessary for service operations, and only when approved by a member of Microsoft senior management (and for customers that are licensed for the Customer Lockbox feature, the customer). Microsoft provides online services, including Office 365, using multiple forms of cloud delivery: Public Clouds, which include multi-tenant versions of Office 365, Azure, and other services that are hosted in North America, South America, Europe, Asia, Australia, etc. National Clouds, which include all sovereign and third party-operated clouds outside of the United States (except for those noted above), such as Office 365 in China (which is operated by 21Vianet), and Office 365 in Germany (which is operated by Microsoft but under a model in which a German data trustee, Deutsche Telekom, controls and monitors Microsoft’s access to Customer Data and systems that contain Customer Data). Government Clouds, which include Office 365 and Azure services that are available to United States government customers. This document provides details on Microsoft’s approach to administrative access and the controls that are in place to safeguard the services and processes in Office 365. For purposes of this document, Office 365 services include Exchange Online, Exchange Online Protection, SharePoint Online (including OneDrive for Business) and Skype for Business. Additional information about some Yammer Enterprise access controls is also included in this document. Other Office 365 services are out of scope for this document. Office 365 Access Controls For access control purposes, Office 365 data is categorized as either Customer Data or other types of data. Customer Data is all data provided by or on behalf of a customer through the customer’s use of Office 365 services, such as customer content1 and end-user identifiable information (EUII)2. Other types of data include account data3, organizationally identifiable information4, and system metadata5. 1 Content directly created or uploaded by Office 365 users including emails, SharePoint Online content, instant messages, calendar items, documents, and contacts stored in Office 365. 2 Data that is unique to a user or that is linkable to an individual user but does not include customer content. 3 Includes administrative data, which is the information provided by administrators when they sign-up or purchase services, and payment data, which is information about payment instruments, such as credit card details. 4 Data that can be used to identify a tenant; or usage data; it is not linkable to an individual user and does not include customer content. 5 Includes service logs that contain configuration settings, system status, Microsoft IP addresses, and technical information about subscriptions and tenants. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 2 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com Microsoft has established access control mechanisms to ensure that no one has unapproved access to Customer Data or access control data6 or unapproved physical, logical, or remote access to the Office 365 production environment. The access controls used by Microsoft for operating Office 365 can be grouped into three categories: 1. Isolation Controls 2. Personnel Controls 3. Technology Controls When combined, these controls help prevent and detect malicious actions in Office 365. While this document focuses on the isolation, personnel, and technology controls used by Microsoft, there is a fourth category of controls: those implemented by customers. Office 365 allows you to manage your data much in the same way data is managed in on-premises environments. The person who signs up an organization for Office 365 automatically becomes a global administrator (admin). The global admin has access to all features in the management portals (e.g., admin centers and remote PowerShell), and can create or edit users, assign admin roles to others, reset user passwords, manage user licenses, manage domains, and approve Customer Lockbox requests, among other things. We recommend that each organization designate at least two admin accounts, and depending on the size of your organization, you may want to designate several admins who serve different functions. For information about assigning admin roles and permissions, see Assigning admin roles in Office 365 and About Office 365 admin roles. Isolation Controls Microsoft continuously works to ensure that the multi-tenant architecture of Office 365 supports enterprise-level security, confidentiality, privacy, integrity, and availability standards, as well as local and international standards. Given the scale and the scope of services provided by Microsoft, it would be difficult and non-economical to manage Office 365 if significant human interaction were required. Office 365 services are provided through multiple globally-distributed datacenters, in a highly-automated fashion, where extremely few datacenter operations require a human touch, and even fewer operations require access to customer content. Our staff supports these services and datacenters using automated tools and highly secure remote access.7 Office 365 is composed of multiple services that provide important business functionality and contribute to the entire Office 365 experience. Each of these services is designed to be self-contained and to integrate with one another. Office 365 is designed with the principles of a Service-Oriented Architecture, which is defined as designing and developing software in the form of interoperable services providing well-defined business functionality, and Operational Security Assurance, a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft, including the Microsoft Security Development Lifecycle, the Microsoft Security Response Center, and deep awareness of the cybersecurity threat landscape. 6 Used to manage access to other types of data or functions within the environment, including access to customer content or EUII. It includes Microsoft passwords, security certificates, and other authentication-related data. 7 For some of the details about how large-scale services are operated in Office 365, see Behind The Curtain: How We Run Exchange Online and A behind the scenes look at Office 365 for IT Pros. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 3 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Office 365 services interoperate with each other, but they are designed and implemented so that they can be deployed and operated as autonomous services, independent of each other. Microsoft segregates duties and areas of responsibility for Office 365 to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. Office 365 teams have defined roles as part of a comprehensive role-based access control mechanism. Customer Content Isolation All customer content belonging to a tenant is isolated from other tenants and from the operations and systems data used in the management of Office 365. Multiple forms of protection have been implemented throughout Office 365 to minimize the risk of compromise of any Office 365 service or application, or any gaining of unauthorized access to the information of tenants or the Office 365 system itself. For information about how Microsoft implements logical isolation of tenant data within Office 365, see Tenant Isolation in Office 365. Personnel Controls Personnel screening, which is the process of reviewing and validating a person’s past behavior and status, is an important mitigation control to prevent Office 365 service compromise. While past behavior is not a perfect predictor of a person’s future behavior, it does help to identify potential bad actors. Microsoft’s Personnel Screening Standard applies to all Microsoft employees, interns, and contingent staff involved in the development, operation, or delivery of online services to government or commercial cloud customers. Screening standards for National Cloud environments that are not operated by Microsoft are defined by the operating partner personnel for each specific environment. Microsoft’s personnel screening practices for Office 365 are aligned with Microsoft’s corporate standards and National Institute of Standards and Technology (NIST) controls for personnel screening. Microsoft staff who require access to the following are subject to Microsoft’s Personnel Screening Standard: Physical access to datacenters, co-locations, secured rooms, cages, server racks, or edge sites that provide the infrastructure supporting online services for government or commercial cloud customers. Logical access to government or commercial cloud Customer Data provided through specific managed environments. o Network management access to devices and services that transport or store government or commercial cloud Customer Data. Specific personnel-related events that trigger screening requirements include: New Microsoft staff placed in roles where screening is a defined requirement. Internal Microsoft staff transferring or moving to an existing role that currently includes screening as a defined requirement. Existing roles that change scope to include screening as a defined requirement. To ensure that only approved personnel have access to Customer Data or environments that require screening, the following enforcement criteria applies: United States Cloud Environments Only: Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 4 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com Access to Customer Data or environments that require screening must only be permitted after adjudication is completed and screening requirements are passed. Microsoft staff who no longer require access to Customer Data or related environments must have access removed upon leaving Microsoft or moving to a new role. Microsoft staff must leave screened environment smart cards with management before leaving the United States. National Cloud Environments: Third-party operator or data trustee personnel are responsible for managing and enforcing access for National Cloud environments. Within Microsoft’s cloud services environments, access is restricted based on a person’s role and the type of data involved, as detailed in Table 1. Qualified or unqualified personnel physically located outside of the United States are not permitted to have access to Customer Data within a United States cloud. Access to National Cloud environments is restricted so that Microsoft personnel do not have technical access to Customer Data, or systems that contain Customer Data, without approval by the third-party operator or data trustee. Role Access to Customer Data Access to System Data Qualified Personnel physically located in the United States Permitted Permitted Qualified Personnel physically located outside of the United States Not Permitted Permitted International Exception Access for Microsoft Staff – Enables logical access for Microsoft staff who do not reside in the country where the government or commercial Customer Data is at rest Not Permitted Permitted Unqualified Personnel (unscreened personnel that require an escort by qualified personnel) Permitted with authorization Permitted with escort oversight Table 1 - Data access by role Where local law allows for it, Microsoft’s Global Security Department conducts pre-employment screening. This is a formal background investigation that includes the following criteria: A check (e.g., for completeness and accuracy) of the applicant's resume Confirmation of academic and professional qualifications Investigation of any loss of professional credentials Verification of past three employers A check of police records for felony conviction Confirmation of identity from a government-issued identification Credit check where appropriate Periodic rescreening and/or additional background checks may be required for certain management, security, or other roles, including but not limited to United States-based employees in roles that require access to Customer Data. For contingent staff, the contract with the third-party specifies Microsoft’s requirements for screening that must be conducted by the third-party. For background checks, the third-party company is responsible for providing to Microsoft verification that a background check has been performed. The results of the background check are typically received via email from the third-party’s human resources department. International employees of contract staff may be exempt from the background screening process due to laws in countries that prohibit background checks. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 5 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Microsoft Employment Screening Since 2004, Microsoft has required individuals to pass a seven-year criminal record screen for felonies and misdemeanors, and to verify their education and employment history, as part of pre-employment screening in the United States for employees and interns. In the United States, prior to assigning any Microsoft employee or any Microsoft-assigned subcontractor to provide Office 365-related services, Microsoft will conduct and cause its subcontractor to conduct a background check consisting of a Social Security number trace and criminal record check. The data from this background check is used as a factor in the hiring decision. The criminal record check includes a seven-year felony and misdemeanor criminal records check of federal, state, and county records (as applicable). As a condition of employment, at the time of hire, all Microsoft employees are required to sign confidentiality and non-disclosure agreements, and to verify that they have reviewed the Microsoft Employee Handbook. Microsoft Cloud Background Check A Microsoft Cloud Background Check is required for candidates to be hired as employees providing Office 365-related services in the United States. Microsoft employees in the United States with access to Customer Data must follow the Microsoft Cloud Background Check process, which is required by all Office 365 services. Outside of the United States, the process varies. For example, the Microsoft Cloud for Germany uses a Data Trustee approval model, which is designed to ensure that the Data Trustee (a German company), and not Microsoft, is in control of access to Customer Data. The Microsoft Cloud in Germany is delivered from datacenters in Germany, and the Operations Centers (OC) containing the technical staff of the Data Trustee are also in Germany. Both the datacenter and the OC facilities are operated, maintained and controlled by the Data Trustee. The following table lists the checks that are performed as part of the Microsoft Cloud Background Check. Screening Description Social Security Number Search Verifies that the provided Social Security number is valid. Criminal History Check Seven-year criminal records check for felony and misdemeanor offenses at the state, county, and local levels, and as appropriate, at the federal level. Office of Foreign Assets Control List Department of Treasury list of individuals and organizations with whom United States citizens and permanent residents are not allowed to do business. Bureau of Industry and Security List Department of Commerce list of individuals and entities barred from engaging in export activities. Office of Defense Trade Controls Debarred Persons List8 Department of State list of individuals and entities barred from engaging in export activities related to the Defense industry. Table 2 - Microsoft Cloud Background Check screening processes for employees hired within the United States The results from the Microsoft Cloud Background Check are stored in our employee database, which is connected to our datacenter access control systems. If the Microsoft Cloud Background Check expires and the employee does not renew it, then access to Office 365 services is revoked and no longer available until the Microsoft Cloud Background Check is completed again. When the employment relationship with Microsoft ends, any existing datacenter access is immediately revoked. 8 Added on July 1, 2010. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 6 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com United States citizenship is verified for all employees with physical or logical access to the Office 365 United States Government services. To verify citizenship, employees and/or new hire candidates meet with a U.S. Citizenship Delegate who is trained to review documentation verifying U.S. citizenship. Employees or new hire candidates must bring the required documentation and sign an attestation form at a meeting with the Citizenship Delegate for their region. The meeting must be done in person. Once the individual has met with the Citizenship Delegate and provided the necessary documentation and signatures, the Citizenship Delegate forwards a copy of the documents to Microsoft Staffing Operations who submit the copy to record keeping. Personnel with logical access to the Office 365 U.S. Government Community Cloud, or logical or physical access to the Azure U.S. government offerings, are required to comply with federal government requirements of the FBI’s Criminal Justice Information Services (CJIS), including personnel screening. CJIS screening in support of the Office 365 U.S. Government service includes a fingerprint-based criminal background check which is adjudicated by the CJIS system agency designated adjudicator in states that have enrolled in the Microsoft Online Services CJIS support program. Technology Controls Microsoft uses several tools and technologies to control, manage, and audit access to Customer Data in Exchange Online and SharePoint Online, including Lockbox and Customer Lockbox, multi-factor authentication, and more. Yammer Enterprise uses similar controls, as described later in this document. Office 365 engineers have zero standing access to Office 365 Customer Data, and they must go through an approval process that includes both Microsoft and – if the customer licenses the Customer Lockbox feature for Exchange Online and SharePoint Online – customer approval, before access to Customer Data for service operations can occur. When approval is granted, service-specific administrative accounts are provisioned just-in-time with just enough access to perform the tasks required by the service request. Lockbox and Customer Lockbox Although it is extremely rare, a customer could request assistance from Microsoft that may expose a Microsoft engineer to the customer’s content to assist them with an issue. To control access to Exchange Online (which includes any Skype for Business data stored in the users’ mailboxes9) and SharePoint Online (which includes OneDrive for Business), Microsoft uses an access control system called Lockbox. Before any Microsoft engineer can access any Exchange Online or SharePoint Online systems or data, they must submit an access request using Lockbox. Using Lockbox is required for all elevated access to Exchange Online or SharePoint Online. Lockbox processes requests for permissions that grant engineers the ability to perform operational and administrative functions within the service. Engineers submit requests through Lockbox, which must be approved by a manager prior to the engineer gaining the ability to access Customer Data. Upon manager approval, the engineer has time-limited and scope-limited access to Customer Data to work on the customer’s issue. 9 Skype for Business coverage does not include Skype Meeting Broadcast recordings or content uploaded to meetings by users. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 7 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Customer Lockbox for Office 365 can help you meet compliance obligations, such as those found in FedRAMP and HIPAA, if you need procedures in place for explicit data access authorization. In the rare instance when a Microsoft service engineer needs access to your data, you grant that access only to data required to resolve the issue and for a limited amount of time. Actions taken by the support engineer are logged for auditing purposes and are accessible via the Office 365 Management Activity API and the Security and Compliance Center. Customer Lockbox inserts the customer into the Lockbox approval process and provides them with the ability to control authorization of Microsoft access to their Exchange Online or SharePoint Online content for service operations. Note Customer Lockbox is available in Office 365 Enterprise E5 and as an add-on purchase, but manual action must be taken in the Office 365 admin center (under Service Settings | Customer Lockbox) to enable it. For more information, see Office 365 Customer Lockbox Requests. All service requests for Exchange Online and SharePoint Online are handled by the Lockbox system. And with Customer Lockbox, any service operation necessitating access to these services with exposure to Customer Data goes through the Lockbox approval process, and then enables the customer to approve or reject the request thereafter. Figure 1 - Customer Lockbox Workflow If the request is rejected by the customer, the Microsoft engineer will not have access to the customer’s content and will not be able to complete the service operation. If the request is approved by the customer, the Microsoft engineer will have limited just-in-time access to the customer’s content through monitored and constrained management interfaces. With both Lockbox and Customer Lockbox, all approved access is traceable to a unique user, making engineers accountable for their handling of Customer Data. Example Scenario: Customer Lockbox The tenant administrator for Contoso contacts Microsoft Customer Support Services (CSS) to report an issue with a user’s mailbox. The tenant administrator tried to troubleshoot the issue but was unable to resolve it, so they opened a Service Request (SR) with CSS. As a result, a new SR is created with a unique number, the support process is initiated, and an On-call Engineer (OCE) is assigned. The customer receives email acknowledgement of the SR. During troubleshooting, the OCE determines that they will need access to the user’s mailbox. By default, the OCE has zero standing access to Customer Data, including the user’s mailbox, without independent authorization. Without approval, no access can be gained by the OCE because the OCE has not been assigned any roles and therefore does not have access to any cmdlets that expose Customer Data. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 8 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com The OCE starts by submitting a request to the Lockbox system, as shown in the following figure. Figure 2 - Submitting a new Lockbox request In the above example, the request is for access to Customer Data for the contoso.onmicrosoft.com tenant for a duration of 30 minutes (the maximum duration is 4 hours). All requests are scoped to a single tenant and tied to the customer’s SR, which is a mandatory parameter for the request. The system checks to verify that the requestor has undergone the background screening required for access. If the requestor has not undergone the required screening, the request is automatically denied. After the request is submitted, it will initially be in a Pending state, as shown in the following figure. Figure 3 - Lockbox request pending The OCE also receives an acknowledgment email, as shown in the following figure. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 9 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Figure 4 - Acknowledgement email for Lockbox request Next, the Lockbox system sends an email to the appropriate Microsoft Manager with a link to the approval portal, which is shown below. The Microsoft Manager has 12 hours from the time of the request to approve or deny the request. Figure 5 - Screenshot of elevation approval tool for Lockbox requests Using this portal, the Microsoft Manager reviews the reason for the request, determines if it is required and appropriate, and, if so, approves the request. Upon approval, the OCE receives an approval email, as shown below. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 10 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com Figure 6 - Approval email from Lockbox system to OCE As shown in this figure, with Customer Lockbox, the request has been approved by the Microsoft Manager, but access is still pending approval by the tenant administrator. The tenant administrator must approve or deny the request within the same 12-hour window as the Microsoft Manager. An email is sent by the Lockbox system to the tenant administrator that notifies them of the request and directs them to the Office 365 admin center to approve the request. Customer Lockbox approval requests are displayed on the main Dashboard of the Office 365 admin center, as shown in the following figure. Figure 7 - Customer Lockbox requests in Office 365 admin center After the tenant administrator approves the request, the OCE receives an approval email from the Lockbox system, as shown in the following figure. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 11 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Figure 8 - Approval process completed email from Lockbox system to OCE At this point, the OCE has just enough access to the user’s mailbox for the specified duration to troubleshoot and resolve the customer’s issue. The timer for the specified duration begins when the tenant approves the request. After the specified duration, an automatic process removes the OCE from the security groups that enabled access to the user’s mailbox, and the OCE reverts to zero standing access. If the OCE has not completed the work necessary to resolve the customer’s issue, then a new Lockbox / Customer Lockbox request must be initiated and approved to complete the work. Just-in-Time Access Microsoft uses the just-in-time (JIT) access principle for Office 365 to further mitigate the risk of credential tampering and lateral attacks. JIT removes persistent administrative access to services and replaces those entitlements with the ability to elevate into those roles on demand. Removing persistent rights from administrators ensures that credentials are available only when they are needed, and removes the risk posed to the company in cases of credential theft. The JIT access model requires engineers to request elevated privileges for a limited period to perform administrative duties. In addition, OCEs use temporary accounts that are created with machine- generated complex passwords and granted only those roles that allow them to perform the necessary tasks. For example, administrative access granted by Lockbox is time-bound, and the amount of time access is granted depends on the role being requested. An engineer specifies the duration of time access needed during the request to the Lockbox system. The Lockbox system will reject requests where the time requested exceeds the maximum permitted time for the elevation. After expiration of the elevation request, administrative access is removed and the temporary account is expired. When authorized and approved for access (for example, to debug a system), engineers receive a one- time use administrative password that is generated by the authorization system each time a request for elevated access is approved. This password is copied by the engineer into a password safe, is separate Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 12 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com from the engineer’s credentials for the Microsoft corporate environment, and is good only for the session for which elevated access was approved. Constrained Management Interfaces OCEs use two management interfaces to perform administrative tasks: Remote Desktop through secured Terminal Service Gateways (TSGs) and Remote PowerShell. Within these management interfaces there are software policies and access controls that place significant restrictions on what applications can be executed and what commands and cmdlets are available. Office 365 servers restrict concurrent sessions to one session per-service team administrator, per- server. TSGs are configured to allow only a single concurrent session for users, and they do not allow multiple sessions. TSGs allow Office 365 service team administrators to connect to multiple servers concurrently, using a single session per server, so that administrators can effectively perform their duties. Service team administrators do not have any permissions on the TSGs themselves. The TSG is used only to enforce multi-factor authentication (MFA) and encryption requirements. Once the service team administrator connects to a specific server through a TSG, the specific server will enforce a session limit of one per administrator. Usage restrictions and connection and configuration requirements for Office 365 personnel are established by Active Directory group policies. These policies include the following characteristics: TSGs are configured to use only FIPS 140-2 validated encryption TSG sessions are configured to disconnect after 30 minutes of inactivity TSG sessions are configured to automatically log off after 24 hours Connections to TSGs also require MFA using a separate physical smart card and an account that is separate from the engineer’s Microsoft corporate credentials. Engineers are issued different smart cards for various platforms and secrets management platforms are used to ensure secure storage of credentials. TSGs use Active Directory group policies to control who can login to remote servers, the number of allowed sessions, and idle timeout settings. Additional polices are in place to limit access to allowed applications and to restrict Internet access. In addition to remote access using specially-configured TSGs, Exchange Online allows users with the Service Engineer Operations role to access certain administrative functionality on production servers using Remote PowerShell. To do this, the user must be authorized for read-only (debug) access to the Office 365 production environment. Privilege escalation is enabled the same way it is enabled for TSGs using the Lockbox process. For remote access, there is a load-balanced virtual IP at each datacenter that serves as a single point of access. The Remote PowerShell cmdlets that can be executed are based on the privilege level identified in the access claim obtained during authentication. These cmdlets are the only administrative functionality that can be accessed and executed by users connecting using this method. Remote PowerShell is used to limit the scope of commands available to the engineer, which is based upon the level of access granted via the Lockbox process. For example, in Exchange Online, Get-Mailbox might be available, but Set-Mailbox would not be. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 13 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Monitoring and Auditing Microsoft also performs extensive monitoring and auditing of all delegation, all use of privileges, and all operations that occur within Office 365. Office 365 access control is an automated process built on the principle of least privilege and to incorporate data access controls and audits: All permitted access is traceable to a unique user, making administrators accountable for their handling of customer content. Access control requests, approvals, and administrative operations logs are captured for analysis of security insights and malicious events. Access levels are reviewed in near real-time based on security group membership to ensure that only users who have authorized business justifications and meet the eligibility requirements have access to the systems. Office 365, its access controls, and supporting services, including Azure Active Directory and our physical datacenters, are regularly audited by independent third-parties for compliance with ISO/IEC 27001, ISO/IEC 27018, SOC, FedRAMP, and other standards. Office 365 engineers are required to take yearly security training reviewing elevated access best practices and risks and acknowledge Microsoft’s security and privacy policies to continue maintaining their entitlements to the service. Automated alerts are triggered when suspicious activity is detected, such as multiple failed logins within a short period. The Office 365 Security Response team uses machine learning and big data analysis to review and analyze activity for irregular access patterns and to proactively respond to anomalous and illicit activities. Microsoft also employs a dedicated team of penetration testers and engages in periodic red team and blue team exercises to find security and access control issues in the service. Customers may also verify the effectiveness of access control systems by using audit reports and the management activity API provided by Office 365. For more information, see Office 365 Management Activity API reference and Auditing and Reporting in Office 365. Yammer Enterprise Access Controls Both physical and logical access to the Yammer production environment is restricted to a very small set of people (infrastructure and operations). As with other Office 365 engineers, Yammer engineers have zero standing access to Customer Data. Access must be requested using an approval-based access control system similar to Lockbox, and there is a limited number of approvers. Approvers verify the request (e.g., they verify whether the request is legitimate based on need, business case, time, etc.), and then approve or deny the request. If the request is approved, JIT access is granted for a defined and limited time, after which it automatically expires. As with other Office 365 services, all access to the Yammer production environment leverages MFA. All access and command history is attributed to a user, and logged and reviewed regularly by the Yammer security team. Summary The need for Microsoft to access Customer Data is extremely rare. In the event access is needed to resolve a customer issue, multiple levels of access controls are in place prior to any Microsoft engineer gaining access to Customer Data. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 14 Document Location: http://aka.ms/Office365AAC Document Feedback: email@example.com Microsoft’s personnel screening practices are aligned with Microsoft’s corporate standards and NIST controls for personnel screening. All Microsoft employees in the United States with access to Office 365 services or data undergo multiple types of screening: Microsoft employment screening, Microsoft Cloud Background Check, and/or specialized screening. All new employees of Microsoft in the United States undergo criminal and educational history background checks that are conducted one time before hire, regardless of role. The Microsoft Cloud Background Check is required by all Office 365 services for United States-based staff. Microsoft has designed Office 365 so that access to customer content is rarely required. Microsoft employs zero standing access and zero elevated privileges throughout Office 365. Engineers have zero standing access to Customer Data, and when service-specific administrative accounts are provisioned, they are created with minimal rights similar to generic user accounts. All permitted access is traceable to a unique user, making administrators accountable for their actions. Automated alerts are triggered when suspicious activity is detected. The Office 365 Security Response team uses machine learning and big data analysis to review and analyze activity for irregular access patterns and proactively respond to anomalous and illicit activities. Role-based access control is used in Exchange Online, SharePoint Online, and Skype for Business to determine individual permissions to mailbox, site collection, and other data. Document Classification: Controlled (distributed under Microsoft NDA) P a g e | 15 Document Location: http://aka.ms/Office365AAC Document Feedback: firstname.lastname@example.org Materials in this Library Microsoft publishes a variety of content for customers, partners, auditors, and regulators around security, compliance, privacy, and related areas. Below are links to other content in our library, some of which are available for download from the Microsoft Cloud Service Trust Portal (STP) and the Service Assurance dashboard in the Office 365 Security and Compliance Center. Name Abstract Auditing and Reporting in Office 365 Describes the auditing and reporting features in Office 365 and Azure Active Directory available to customers. Also details the various audit data that is available to customers via the Office 365 Security & Compliance Center, remote PowerShell, and the Management Activity API. Also describes the internal logging data that is available to Microsoft Office 365 engineers for detection, analysis, and troubleshooting. Controlling Access to Office 365 and Protecting Content on Devices Describes the Conditional Access (CA) features in Microsoft Office 365 and Microsoft Enterprise Mobility + Security, and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. It also provides guidance on how to address common concerns around data access and data protection using Office 365 features. Data Encryption Technologies in Office 365 Provides an overview of the various encryption technologies that are currently available or recently announced for Office 365, including features deployed and managed by Microsoft, and features managed by customers. Data Resiliency in Office 365 Describes how Microsoft prevents Customer Data from becoming lost or corrupt in Exchange Online, SharePoint Online, and Skype for Business, and how Office 365 protects Customer Data from malware and ransomware. Defending Office 365 Against Denial of Service Attacks Discusses different types of Denial of Service attacks and how Microsoft defends Office 365, Azure, and their networks against attacks. Financial Services Compliance in Microsoft's Cloud Services Describes how the core contract amendments and the Microsoft Regulatory Compliance Program work together to support financial services customers in meeting their regulatory obligations as they relate to the use of cloud services. Microsoft Response to New FISC Guidelines in Japan (English) (Japanese) Explains how Microsoft addresses the risks and requirements described in the FISC Revised Guidelines, and it describes features, controls, and contractual commitments that customers can use to meet the requirements in the Revised Guidelines. Microsoft Threat, Vulnerability, and Risk Assessment of Datacenter Physical Security Provides an overview regarding the risk assessment of Microsoft datacenters, including potential threats, controls and processes to mitigate threats, and indicated residual risks. Office 365 Administrative Access Controls Provides details on Microsoft’s approach to administrative access and the controls that are in place to safeguard the services and processes in Office 365. For purposes of this document, Office 365 services include Exchange Online, Exchange Online Protection, SharePoint Online, and Skype for Business. Additional information about some Yammer Enterprise access controls is also included in this document. Office 365 Customer Security Considerations Provides organizations with quick access to the security and compliance features in Office 365 and considerations for using them. Office 365 End of Year Security Report 2014 Covers security and legal enhancements made to Office 365 in calendar year 2014 than enables customers and partners to meet legal requirements surrounding independent verification and audits of Office 365. Office 365 End of Year Security Report and Pen Test Summary 2015 Office 365 End of Year Security Report and Pen Test Summary for CY 2015. Office 365 Mapping of CSA Cloud Control Matrix 3.0.1 Provides a detailed overview of how Office 365 maps to the security, privacy, compliance, and risk management controls defined in version 3.0.1-11-24-2015 of the Cloud Security Alliance's Cloud Control Matrix. Office 365 Risk Management Lifecycle Provides an overview of how Office 365 identifies, evaluates, and manages identified risks. Office 365 Security Incident Management Describes how Microsoft handles security incidents in Office 365. Privacy in Office 365 Describes Microsoft’s privacy principles and internal privacy standards that guide the collection and use of customer and partner information at Microsoft and give employees a clear framework to help ensure that we manage data responsibly. Self-Service Handling of Data Spills in Office 365 (restricted to Federal customers) Reviews the spillage support provided by Office 365, the tools available to customers, and the configuration settings that should be reviewed in environments that are prone to data spills. Tenant Isolation in Office 365 Describes how Microsoft implements logical isolation of tenant data within Office 365 environment. s in Microsoft Office 365 and Microsoft Enterprise Mobility + Security, and how they are designed with built-in data security and protection to keep company data safe, while empowering users to be productive on the devices they love. It also provides guidance on how to address common concerns around data access and data protection using Office 365 features. Data Encryption Technologies in Office 365 Provides an overview of the various encryption technologies that are currently available or recently announced for Office 365, including features deployed and managed by Microsoft, and features managed by customers. Data Resiliency in Office 365 Describes how Microsoft prevents Customer Data from becoming lost or corrupt in Exchange Online, SharePoint Online, and Skype for Business, and how Office 365 protects Customer Data from malware and ransomware. Defending Office 365 Against Denial of Service Attacks Discus