Plan for Office 365 security and information protection capabilities

Microsoft Office 365 includes many security and information protection capabilities. Microsoft Enterprise Mobility + Security (EMS) includes additional capabilities for protecting data, identities, and devices with Office 365. EMS includes Microsoft Intune and Azure Active Directory Premium. It can be challenging for large organizations to determine which capabilities to implement and in what order. This article provides help.

Keeping track of the many capabilities

You can see all of the capabilities organized on this poster: Information Protection for Office 365.

Information Protection Capabilities for Office 365

PDF | Visio | More languages

This poster organizes the capabilities by our protection scenarios:

  • Simplify and protect access

  • Allow collaboration and prevent leaks

  • Stop external threats

  • Stay compliant

  • Secure administrative access

The capabilities are ordered from left-to-right starting with capabilities we recommend you implement listed first.

Deciding which capabilities to use

Our cybersecurity consulting team recommends taking a methodical approach to planning and implementing security and information protection features. If you don’t already have an established approach, here is a recommended starting point.

Step 1: Set information protection standards

First, agree on a set of standards that can be applied across your organization. Here is an example of what this can look like.


Establish information protection priorities

The first step of protecting information is identifying what to protect. Develop clear, simple, and well-communicated guidelines to identify, protect, and monitor the most important data assets anywhere they reside.


Set organization minimum standards

Establish minimum standards for devices and accounts accessing any data assets belonging to the organization. This can include device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity.


Find and protect sensitive data

Identify and classify sensitive assets. Define the technologies and processes to automatically apply security controls.


Protect high value assets (HVAs)

Establish the strongest protection for assets that have a disproportionate impact on the organizations mission or profitability. Perform stringent analysis of HVA lifecycle and security dependencies, establish appropriate security controls and conditions.

Step 2: Classify data by sensitivity level

Three levels is a good starting point if your organization doesn’t already have defined standards.

Step 3: Map service capabilities to data sensitivity levels

Some information protection capabilities apply broadly and can be used to set a higher minimum standard for protecting all data. Other capabilities can be targeted to specific data sets for protecting sensitive data and HVAs.

This table includes an example of how capabilities can be mapped to data sensitivity levels. There are two examples for level 1 because the default service will meet this need for some organizations while others require greater protection.





Data is encrypted and available only to authenticated users

This level of protection is provided by default for data stored in Office 365 services. Data is encrypted while it resides in the service and in transit between the service and client devices. For some organizations, this level of protection meets the minimum standard.

Additional data and identity protection applied broadly

Capabilities such as multi-factor authentication (MFA), mobile device management, and Exchange Online Advanced Threat Protection increase protection and substantially raise the minimum standard for protecting devices, accounts, and data. Many organizations will require one or more of these features to meet a minimum standard.


Sophisticated protection applied to specific data sets

Capabilities such as Azure Rights Management (RMS) and Data Loss Protection (DLP) across Office 365 can be used to enforce permissions and other policies that protect sensitive data.


Strongest protection and separation

You can achieve the highest levels of protection with capabilities such as Customer Lockbox for Office 365, eDiscovery features in Office 365, and SQL Server Always Encrypted for partner solutions that interact with Office 365. Use auditing features to ensure compliance to policies and prescribed configurations. Not all organizations require the highest level of protection.

Protecting data on devices

Many organizations start by implementing controls to protect data on devices. Office 365 includes some built-in capabilities. Intune and Azure Active Directory Premium include additional configurable capabilities for implementing conditional access and other access controls. This table summarizes the capabilities.

Office 365


Azure Active Directory

BYOD (not enrolled)

Basic multi-factor authentication capabilities for Office 365.

Enforce PIN and encryption requirements, as well as other policy settings, for applications accessing Office 365.

Restrict actions like copy, cut, paste, and save as, to only apps managed by Intune. Enable secure web browsing using the Intune Managed Browser App.

Create access policies that evaluate the context of a user's login to make real-time decisions about which applications they should be allowed to access.

For example, you can require multi-factor authentication per application or only when users are not at work. Or you can block access to specific applications when users are not at work.

Enrolled devices

Access control for Office 365 email and documents.

Only mobile devices that are enrolled in MDM for Office 365 can access Exchange Online and SharePoint Online.

Configurable conditional access policies for Office 365 apply to SharePoint Online, OneDrive for Business, and Skype for Business.

Configure secure access with certificates, Wi-Fi, VPN and email profiles.

Keep managed computers secure by ensuring the latest patches and software updates are quickly installed.

Same as above (enrollment not required).

For more information, see Controlling Access to Office 365 and Protecting Content on Devices.

Try out information protection capabilities in a test lab environment

You can use Office 365 Test Lab Guides (TLGs) to create an Office 365 dev/test environment. TLGs help you quickly learn about Microsoft products. They’re great for situations where you need to evaluate a capability before you decide whether it’s right for you or before you roll it out to users. TLGs also allow you to create representative environments for development and testing of applications, also known as dev/test environments.

Come back to the Office 365 Test Lab Guides page often for updates and new TLGs that incorporate security capabilities across Microsoft’s cloud.

Taking a systematic approach to security across Microsoft’s cloud

The recommendations for Office 365 fit into a larger systematic approach for securing data, identities, and devices. The Microsoft Cloud Security for Enterprise Architects mini-poster set maps the areas of security ownership for both Microsoft and our customers. It covers all categories of cloud services: SaaS, PaaS, IaaS, and private cloud.

Thumb image for Microsoft cloud security model

PDF | Visio | More languages

Get more in-depth resources that describe identity, security, storage, networking, and hybrid for the IT industry's most comprehensive cloud solution at

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.