Office 365 security review

Created:  11 Jun 2018
Updated:  11 Jun 2018
Office 365
A security review of Microsoft Office 365 productivity tools, based on the NCSC's SaaS security principles.

Microsoft Office 365 is a set of cloud-based productivity tools including word processing, spreadsheets and calendars. 


How Office 365 performs against the SaaS Principles




Does the SaaS provider protect external data in transit using TLS?


According to their Trust Centre Documentation Office 365 uses TLS. Even though it isn't explicitly stated, hands-on testing suggests that this is using TLS 1.2.

Does the SaaS provider protect external data in transit using correctly configured certificates?


Office 365 meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition the Office domain currently gets an 'A' rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.

Does the SaaS provider protect internal data in transit between services using encryption?


According to their Trust Centre Documentation Microsoft encrypts all traffic in transit within their network using TLS and IPSec.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 


According to their Azure encryption overview Microsoft uses TLS to protect all traffic in transit between services.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?


All API requests must be authorised by the user and use OAuth.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?


Users can have one of several roles with varying levels of permissions. Microsoft provides a set of prebuilt admin roles. This is described in the Office 365 documentation.
If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?


Office 365 currently provides multi-factor authentication via SMS or the Microsoft Authenticator app. This can be enforced by Administrators for users within their domain. Office 365 also integrates with Single Sign On (SSO) options each of which may provide 2FA options.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs


As stated below, Microsoft stores a variety of logs - these are made available to a domain administrator. It is unknown as to the extent of internal logging.
Does the provider make logs available to the client?


Microsoft makes a variety of logs available to administrators, this is all collated into an "audit log" including areas such as login and administrator actions on various individual parts of Office 365.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.



Microsoft has a dedicated security team, they also have a public bug bounty program.
Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Microsoft publishes details of their security architecture in their white paper and within the FAQs and TechNet articles on their site.


Exporting data

For information on exporting data from Office 365, refer to the Office 365 Trust Center.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No