How OneDrive safeguards your data in the cloud

How OneDrive safeguards your data in the cloud

You control your data. When you put your data in OneDrive, you remain the owner of the data. For more info about the ownership of your data, see Office 365 Privacy by Design.

How you can safeguard your data

Here are some things you can do to help protect your files in OneDrive:

  • Create a strong password. Check the strength of your password.

  • Add security info to your Microsoft account. You can add info like your phone number, an alternate email address, and a security question and answer. That way, if you ever forget your password or your account gets hacked, we can use your security info to verify your identity and help you get back into your account. Go to the Security info page.

  • Use two-factor verification. This helps protect your account by requiring you to enter an extra security code whenever you sign in on a device that isn’t trusted. The second factor can be made through a phone call, text message, or app. For more info about two-step verification, see How to use two-step verification with your Microsoft account.

  • Subscribe to Office 365. An Office 365 subscription gives you advanced protection from viruses and cybercrime, and ways to recover your files from malicious attacks.

How we treat your data

Microsoft engineers administer OneDrive using a Windows PowerShell console that requires two-factor authentication. We perform day-to-day tasks by running workflows so we can rapidly respond to new situations.

No engineer has standing access to the service. When engineers need access, they must request it. Eligibility is checked, and if engineer access is approved, it's only for a limited time.

Protected in transit and at rest

Protected in transit

When data transits into the service from clients, and between datacenters, it's protected using transport layer security (TLS) encryption. We only permit secure access. We won't allow authenticated connections over HTTP, but instead redirect to HTTPS.

Protected at rest

Physical protection: Only a limited number of essential personnel can gain access to datacenters. Their identities are verified with multiple factors of authentication including smart cards and biometrics. There are on-premises security officers, motion sensors, and video surveillance. Intrusion detection alerts monitor anomalous activity.

Network protection: The networks and identities are isolated from the Microsoft corporate network. Firewalls limit traffic into the environment from unauthorized locations.

Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The Microsoft Security Response Center helps triage incoming vulnerability reports and evaluate mitigations. Through the Microsoft Cloud Bug Bounty Terms, people across the world can earn money by reporting vulnerabilities.

Content protection: Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.

The Windows Defender anti-malware engine scans documents at download time for content matching an AV signature (updated hourly).

Highly available, always recoverable

Our datacenters are geo-distributed within the region and fault tolerant. Data is mirrored into at least two different Azure regions, which are at least several hundred miles away from each other, allowing us to mitigate the impact of a natural disaster or loss within a region.

In the case of a ransomware attack, you can restore deleted files from the OneDrive recycle bin or restore a previous version of a file in OneDrive. As a premium user, you can also restore your entire OneDrive to any point within the past 30 days.

Continuously validated

We constantly monitor our datacenters to keep them healthy and secure. This starts with inventory. An inventory agent performs a state capture of each machine.

After we have an inventory, we can monitor and remediate the health of machines. Continuous deployment ensures that each machine receives patches, updated anti-virus signatures, and a known good configuration saved. Deployment logic ensures we only patch or rotate out a certain percentage of machines at a time.

The Office 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access. The "Blue Team" is made up of defense engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies. To keep up with the learnings of the security teams at Microsoft, see Security Office 365 (blog).

Need more help?

Online

Get online help
See more support pages for OneDrive and OneDrive for Business.
For the OneDrive mobile app, see Troubleshoot OneDrive mobile app problems.

Email Support icon

Email support
If you still need help, shake your mobile device while you're in the OneDrive app or email the OneDrive support team. To contact OneDrive for Business support from your PC or Mac, select the OneDrive icon in the notification area or menu bar, then select More > Send feedback > I don't like something.

OneDrive for Business Admins can also view the OneDrive for Business Tech Community, Help for OneDrive for Business Admins, or contact Office 365 for business support.

Office 365 community forums

Got feedback?
OneDrive UserVoice is your place to suggest the features you’d like to see us add to OneDrive. While we can’t guarantee any specific features or timelines, we will respond to every suggestion that gets at least 500 votes.

Go to the OneDrive UserVoice.

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×