Trust Center: Security, Privacy and Compliance Information for Office 365 and Microsoft Dynamics 365
Administrative access
We enable you to find out whether someone has accessed your data. We know that in the cloud, data access is one of your main concerns. This means both knowing that you will be able to access your data when you need to and knowing whether someone else has accessed your data.
What is the Office 365 and Dynamics 365 position on data access?
Our position on access to your data is as follows:
§ We always give you access to your customer data.
§ Access to customer data is strictly controlled and logged, and sample audits are performed both by Microsoft and third parties to attest that access is only for appropriate business purposes.
§ We recognize the extra importance of our customers' content, 1such as Exchange Online email body data and SharePoint Online team site content. If someone—Microsoft personnel, partners, 2or your own administrators—accesses your content on the service, you can obtain reports regarding that access by either running a Non-owner mailbox access report* or an external admin audit log. These two reports enable you to know when your content may have been accessed.
§ The Non-owner mailbox access report* in the Exchange Administration Center (EAC) lists the mailboxes that have been accessed by someone other than the person who owns the mailbox. When a mailbox is accessed by a non-owner, Microsoft Exchange logs information about this action in a mailbox audit log that is stored as an email message in a hidden folder in the mailbox being audited. Entries in the mailbox audit log are retained for 90 days by default.
*You have to enable mailbox audit logging for each mailbox that you want to run a non-owner mailbox access report for. If mailbox audit logging isn't enabled, you won't get any results when you run a report.
Learn more about running a non-owner mailbox access report.
§ The administrator audit logging records specific actions performed by administrators and users who have been assigned administrative privileges. You can use the EAC to search for and view entries from the administrator audit log for actions performed by Microsoft administrators and delegated administrators.
Learn more about viewing the external admin audit log.
§ Azure Active Directory Premium is an identity platform for Office 365 that provides identity management and access control capabilities. Azure Active Directory capabilities include a cloud-based store for directory data and a core set of identity services, including user logon processes, authentication services, and Federation Services.
To learn how to use access and usage reports to gain visibility into the integrity and security of your organization's Azure Active Directory (AD) tenant, read this article .
How do I view administrative access to data?
Service | Activities Tracked | Instructions |
Office 365 and Dynamics 365 | Portal creation of users, Password Resets | |
Exchange Online | Exchange mailbox access3 | Visit Exchange Control Panel (link available from the Admin Overview page of the Office 365 Online Portal ; login required) |
SharePoint Online | SharePoint site, storage access | Visit the Audit Log Search page in the Security and Compliance Center portal |
Dynamics 365 | CRM content access |
1 Content is customer data for which customers may have an increased expectation of confidentiality and that, when the service is used normally, is transferred encrypted over the Internet. It specifically includes: Exchange Online email body and attachments, SharePoint Online site content and file body, instant messaging and voice conversations, and CRM business data about your end-customer interactions.
2 Reports reflect your partners' administrative access to your content stored on the service. Not all partner scenarios are covered. For example, reports on resellers (where customer has purchased the services from, and is billed by, the reseller), advanced communications services VOIP partners, and associated services such as Research in Motion (for hosted BlackBerry® service) are not available due to the nature of access to data these parties have in the ordinary course of using of the services.
3 For enterprise customers who have enabled the Exchange Online Protection administration center, administrative access of mail queued in the administration center is not reportable.
Who has administrative rights to Office 365 or Dynamics 365?
Microsoft database administrators, by definition, have access to all the resources on a database, including customer data.
We use customer data only to provide the services; therefore, Microsoft strictly prohibits access to customer data for any other purpose. As part of providing the services, database administrators may access customer data for activities such as performance tuning of databases, or migrating customers from one database to another.
The following table details different levels of access for different administrators and data types:
Administrator | Customer Data (Excluding Content) | Content |
Operations response team (limited to key personnel only) | Yes, as needed. | Yes, by exception. |
Support organization | Yes, only if required in response to a support inquiry. | No. |
Engineering | No direct access. May be transferred during troubleshooting. | No. |
Partners | With customer permission. Contact your partner for more information. | With customer permission. Contact your partner for more information. |
Others in Microsoft | No. 1 | No. |
1 Others in Microsoft may use the contact information of end users specified in the directories of Office 365 Business, Business Essentials, and Business Premium customers to send promotional communications to those end users.
What does Microsoft do to support its customers' rights to access their data? Will customers have access to their data at all times?
Customers are able to access and control their data through the standard protocols and access mechanisms defined within the service descriptions.
At the end of a customer's subscription or use of the service, the customer may always export their data. Full details are contained within Online Services Use Rights, which is the authoritative source on this topic (Enterprise Agreement customers should consult Product Use Rights). However, for your convenience, we are including the provisions of Online Service Use Rights, as of the current release of Office 365, here:
Online Service Expiration or Termination. Upon expiration or termination of your online service subscription, you must contact Microsoft and tell us whether to:
§(1) disable your account and then delete the customer data; or
§ (2) retain your customer data in a limited function account for at least 90 days after expiration or termination of your subscription (the "retention period") so that you may extract the data.
§ If you indicate (1), you will not be able to extract the customer data from your account. If you do not indicate (1) or (2), we will retain the customer data in accordance with (2).
§ Following the expiration of the retention period, we will disable your account and then delete your customer data. Cached or back-up copies will be purged within 30 days of the end of the retention period.
Microsoft provides multiple notices prior to deletion of customer data, so that customers are informed and reminded of the upcoming deletion of the data if they do not act within the stipulated time frame.
To the extent a customer needs help in fulfilling privacy requests as required by law, under many agreements customers may contact Microsoft Customer Support for help in accessing, changing, deleting, or blocking their customer data. Requests that cannot be fulfilled via standard tools and processes may be subject to an additional charge.
How can I be sure that only authorized users have been granted administrative access to fulfill their job responsibilities?
All Office 365 and Dynamics 365 personnel are accountable for their handling of customer data, because access to Office 365 and Dynamics 365 data is granted in a manner that is traceable to a unique user.
In other words, accountability is enforced through a set of system controls, including the use of unique user names, data access controls, and auditing. Unlike generic user names such as "Guest" or "Administrator," unique user names are used to enforce accountability by identifying user actions to a specific person (referred to as "binding"). Two-factor authentication, such as smart card logins using digital certificates or RSA tokens, is also used to further strengthen this binding.
Microsoft applies strict controls over which personnel roles and personnel will be granted access to customer data. Personnel access to the IT systems that store customer data is strictly controlled via role-based access control (RBAC) and lock box processes [English] . Access control is an automated process that follows the separation of duties principle and the principle of granting least privilege. This process ensures that the engineer requesting access to these IT systems has met the eligibility requirements, such as a background screen, fingerprinting, required security training , and access approvals . In addition, the access levels are reviewed on a periodic basis to ensure that only users who have appropriate business justification have access to the systems.
User access to data is also limited by user role. For example, system administrators are not provided with database administrative access.
What controls are in place to restrict physical access to my data?
All Office 365 and Dynamics 365 data centers have biometric access controls, with the majority of the data centers used to provide Office 365 and Dynamics 365 requiring palm prints to gain physical access to the data centers.
Physical access to the Office 365 and Dynamics 365 data centers is controlled by two-tier authentication, including proxy card access readers (card access badge required) and hand geometry biometric readers.
On a quarterly basis, the Microsoft Security Officer sends reports to the authorized personnel with authority to approve data center access. The reports contain the list of persons who currently have access to the data centers. The authorized personnel audit the list to ensure all persons still require access and have the least privileged access level necessary to perform their job function.
For additional information regarding the Office 365 and/or Dynamics 365 approach to customer data, please refer to the Microsoft Privacy Guidelines for Developing Products and Services, Office 365 Security white paper, Dynamics 365 Security and Service Continuity Guide, and Microsoft Online Privacy white paper.
What type of background investigation does Microsoft perform on people who are granted administrative rights?
All U.S.-based Microsoft employees are required to successfully complete a standard background check as part of the hiring process.
Microsoft Cloud Background checks are applied to all new USA Microsoft staff, and existing USA staff with access to customer data, or who manage key physical and logical access controls. The background checks are renewed every two years and include a review of information relating to a candidate's criminal history and a check against export control lists. (Export control lists include the Office of Foreign Assets Control List (OFAC), the Bureau of Industry and Security List (BIS), and the Office of Defense Trade Controls Debarred Persons List (DDTC).)
Additional information and background checks, such as citizenship checks and fingerprinting, may also apply if the request for access relates to services we offer to customers with specialized requirements, (for example, the U.S. federal government).
To protect the privacy of its employees, Microsoft does not share the results of background checks with customers.
Additional resources
§ Office 365 Security (white paper ) [English]