How Exchange Online secures your email secrets

This article describes how Microsoft secures your email secrets in its data centers.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

How we secure secret information provided by you

In addition to the Office 365 Trust Center that provides Security, Privacy, and Compliance Information for Office 365, we use a technology called Distributed Key Manager (DKM).

Distributed Key Manager (DKM) is a client-side technology that uses a set of secret keys to encrypt and decrypt information. Only members of a specific security group in Active Directory Domain Services can access those keys in order to decrypt the data that is encrypted by DKM. In Exchange Online, only certain service accounts under which the Exchange processes run are part of that security group. No human is given credentials that are part of this security group and therefore no human has access to the keys that can decrypt these secrets.

For debugging, troubleshooting, or auditing purposes, a data center administrator must request elevated access to gain temporary credentials that are part of the security group. This process requires multiple levels of legal approval. If access is granted, all activity is logged and audited. Access is only granted for a set interval of time after which it automatically expires.

For extra protection, DKM technology includes automated key rollover and archiving. Automated rollover and archiving ensure that you can continue to access your older content without having to rely on the same key indefinitely.

Where Exchange Online uses DKM

Microsoft uses Distributed Key Manager to encrypt your secrets in Exchange Online data centers. For example:

  • Email account credentials for connected accounts. Connected accounts are third-party accounts such as Hotmail, Gmail, and Yahoo! mail accounts.

  • Customer Key. If you're using Customer Key, you'll use Azure Key Vault to safeguard your secrets.

Encryption in Office 365

Technical reference details about encryption

Service assurance in the Microsoft Purview compliance portal