Technical reference details about encryption in Office 365

Refer to this article to learn about certificates, technologies, and TLS cipher suites used for encryption in Office 365.

Microsoft Office 365 certificate ownership and management

You do not need to purchase or maintain certificates for Office 365 because Microsoft uses its own certificates.

Versions of TLS supported by Office 365

Transport Layer Security (TLS), and SSL that came before TLS, are cryptographic protocols that secure communication over a network by using security certificates to encrypt a connection between computers. Office 365 supports several versions of TLS, including:

  • TLS version 1.2 (TLS 1.2)

  • TLS version 1.1 (TLS 1.1)

  • TLS version 1.0 (TLS 1.0)

Deprecating SHA-1 certificate support in Office 365

Important changes are coming to supported encryption options for Office 365. As of June 2016, Office 365 will no longer accept a SHA-1 certificate for outbound or inbound connections. If you are currently using a certificate with SHA-1 in the certificate chain, you will need to update the chain to use SHA-2 (Secure Hash Algorithm 2) or a stronger hashing algorithm.

Deprecating RC4 support in Office 365

In July 2015, support for the following RC4 cipher suites was discontinued:

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_RC4_128_MD5

Deprecating Secure Sockets Layer (SSL) 3.0 support in Office 365 and what this means for you

Starting December 1, 2014, Office 365 began disabling support for Secure Sockets Layer (SSL) 3.0, the predecessor to TLS. For more information, see Security advisory 3009008. For instructions on how to ensure clients are using TLS 1.0 or higher and to disable SSL 3.0, see Protecting SSL 3.0 vulnerability.

TLS Cipher suites supported by Office 365

A cipher suite is a collection of encryption algorithms that TLS uses to establish secure connections. Cipher suites supported by Office 365 are listed in the following table in order of strength with the strongest cipher suite listed first. When Office 365 receives a connection request, Office 365 first attempts to connect using the topmost cipher suite then, if unsuccessful, tries the second cipher suite in the list and so on down the list. When Office 365 sends a connection request to another server or to a client, it's up to the receiving server or client to choose the cipher suite or whether TLS will be used at all.

Protocols

Cipher suite name

Key exchange algorithm/Strength

Perfect Forward Secrecy support

Authentication algorithm/Strength

Cipher/Strength

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

ECDH/192

Yes

RSA/112

AES/256

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

ECDH/128

Yes

RSA/112

AES/128

TLS 1.0, 1.1, 1.2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

ECDH/192

Yes

RSA/112

AES/256

TLS 1.0, 1.1, 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

ECDH/128

Yes

RSA/112

AES/128

TLS 1.2

TLS_RSA_WITH_AES_256_CBC_SHA256

RSA/112

No

RSA/112

AES/256

TLS 1.2

TLS_RSA_WITH_AES_128_CBC_SHA256

RSA/112

No

RSA/112

AES/128

TLS 1.0, 1.1, 1.2

TLS_RSA_WITH_AES_256_CBC_SHA

RSA/112

No

RSA/112

AES/256

TLS 1.0, 1.1, 1.2

TLS_RSA_WITH_AES_128_CBC_SHA

RSA/112

No

RSA/112

AES/128

TLS 1.0, 1.1, 1.2

TLS_RSA_WITH_3DES_EDE_CBC_SHA

RSA/112

No

RSA/112

3DES/192

Related topics

Encryption in Office 365
Set up encryption in Office 365 Enterprise
Schannel implementation of TLS 1.0 in Windows security status update: November 24, 2015
TLS/SSL Cryptographic Enhancements (Windows IT Center)

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×