Is Microsoft 365 Secure For Business?

With an estimated 240 million active users globally, how secure really is Microsoft’s application suite for businesses?

Article thumbnail image

“Dependability, every day of the year.”

This was the justification Microsoft Office Division President at the time Kurt DelBene gave at the announcement of Office 365 in 2010 to explain what “365” meant, and why Microsoft had chosen to add this extension to their product name.

Since then, Microsoft has renamed its subscription service to “Microsoft 365”, and it continues to be one of the most popular workplace application suites used today. But can you depend on Microsoft 365 to keep your organization and your data safe? 

With an estimated 240 million active users and over a million companies using the service worldwide, Microsoft 365 is a market leader in cloud productivity for businesses. And it’s easy to see why. The move to Microsoft 365 from on-premises working provides an array of benefits, including any time remote access, scalability, flexibility, managed updates, and enhanced security. 

But in an ever-evolving and unpredictable world, where security isn’t a want, but a need, how secure actually is Microsoft 365 for businesses? 

Let’s find out.

Is Microsoft 365 Secure?

Overall, yes. Microsoft 365 is a highly secure platform for both individual users and businesses alike—but only if you implement the right security controls on your end.

In fact, Microsoft operates under a “shared responsibility” model. Shared responsibility means that both you and Microsoft are accountable for respective parts of the service—and it’s important to understand where you stand in that agreement.

Security Is A Shared Responsibility

Official documentation highlights which responsibilities fall under Microsoft’s umbrella as the service provider, and which responsibilities are yours:

“Managing security and compliance is a partnership. You are responsible for protecting your data, identities, and devices, while Microsoft vigorously protects Microsoft 365 services.”

Responsibilities can vary depending on the type of deployment. But in all deployments, you are responsible for your data, endpoints, accounts, and access management. This includes backing up data, data retention policies, internal threats, and external threats—such as malware, phishing, and ransomware. 

Microsoft retains responsibility for its physical infrastructure—including hosting, networks, and datacenters—for all cloud-based deployments. This includes ensuring service uptime, data replication, short-term data loss recovery, and infrastructure security.

Anything in-between can vary, and depends on whether the deployment is Software-, Platform-, or Infrastructure-as-a-Service. To find out more, take a look at Microsoft’s documentation on shared responsibility.

As well as this, when it comes to extra security features, while Microsoft does provide the capabilities to further secure your organization against potential threats, it’s your responsibility to use them. They clearly outline this in official documentation:

“Microsoft provides capabilities to help protect your organization, but they are effective only if you use them. If you do not use them, you may be vulnerable to attack.”

Microsoft 365’s Built-In Security Features

Microsoft 365 offers a range of built-in security features that come as part of the service, together with optional customer controls that your admins can adjust and customize to suit business needs. Here are its key features:

Data And Privacy

When it comes to data and privacy, you are the sole owner of your content—Microsoft makes this clear in their Services Agreement:

“We don’t claim ownership of Your Content. Your Content remains Your Content and you are responsible for it.”

This means that while your data is stored in Office 365, you retain all rights to it. But as per their shared responsibility model, you’re responsible for securing your data. 

Microsoft limits its own access to your data to help reduce the risk of insider threats, and also doesn’t mine your data for advertising purposes or share it with their advertiser-supported services. Your data is only used for troubleshooting, improving features, and to create a personalized customer experience.

If you cancel your Microsoft 365 subscription for any reason, your data has a retention policy of 90 days, which provides ample time to create backups and retrieve your data. After 90 days have passed, all data—including cached data and backup copies—will be permanently deleted. 

Microsoft stores your Microsoft 365 data in their geographically distributed and secure datacenters—designed to withstand natural disasters, as well as prevent unauthorized access. To keep these secure, Microsoft doesn’t reveal the exact address of any of the datacenters and restricts physical access 24/7 using a range of robust security features.  

Microsoft also encrypts your data both in transit—between devices and datacenters—and at rest. In transit, Microsoft 365 uses encryption technologies such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec), while using volume-level and file-level encryption for data at rest. 

However, you should note that Microsoft doesn’t provide native backup for Microsoft 365 while your subscription is live. Across the application suite, default settings only protect data for an average of 30–90 days. While Microsoft does replicate your data, this exists purely in the event of a datacenter failure—but it isn’t a backup, and it isn’t your replica. This means that should you be hit by a ransomware attack or experience any unintentional data loss, you won’t be able to retrieve your data unless you’re backing it up yourself, or using a third-party provider. As well as this, you could suffer from issues with regulatory compliance and blind spots in your retention policies. 

Email Security

As well as protecting your data, Microsoft includes various email security tools to help protect your Microsoft 365 suites from cyberattacks and email-related breaches. After all, phishing, for example, is one of the most common ways for a hacker to gain access to an entire Microsoft 365 suite—so if your email isn’t secure, then neither is your organization.

All plans that include an Exchange Online mailbox have Exchange Online Protection (EOP) built-in, which is a cloud-based email filtering service. And EOP comes with various protection, quarantine, mailflow, and monitoring features. These include anti-malware, anti-phishing, anti-spam, mailflow rules, tracing and reporting, message encryption (available as an add on), and more. You can read more about what’s included in Microsoft’s Exchange online protection overview.

Certain Microsoft 365 plans also come with Microsoft Defender, which builds on EOP to provide a further range of other useful tools to keep your Microsoft 365 suite secure. Depending on your subscription type, further capabilities can range from protection against zero-day malware and business email compromise for email and collaboration tools, to post-breach investigation, hunting, and response. 

But you should bear in mind that, standalone, the built-in email security features provided by Microsoft likely won’t cover your organization against all threats you might face, and to the level of protection you might need. 

In fact, organizations using Microsoft 365 are more likely to experience data breaches related to outbound emails. The same report also finds Microsoft’s traditional static Data Loss Prevention (DLP) rules to be inadequate to deal with human error—with an astonishing 100% of IT leaders reporting that they were frustrated by this.

And as well as this, it’s up to you to ensure you’re using any additional security features and have configured them correctly—they aren’t implemented by default.

While Defender integrates easily with Microsoft 365, there are other third-party email security solutions on the market that provide higher levels of protection against more sophisticated threats, like targeted spear phishing attacks. It’s important that you analyze the threats your organization is facing, and choose an email security solution that provides the best protection for your specific use case.


Being a leading cloud services provider, compliance plays a large role in Microsoft’s offering to their customers.

While you should always check industry compliance requirements for your specific business and understand these before entering any agreements, Microsoft ensures they stay up-to-date and compliant with regulations.

Microsoft also complies with both international compliance standards as well as those that are specific to certain industries, and receives regular third-party audits that verify their security controls. 

To name a few, their security and compliance documentation states that they comply with the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act Business Associate Agreement (HIPAA BAA), and more. To learn more, take a look at Microsoft’s compliance offerings. 

Recommendations For Businesses Using Microsoft 365

As well as the built-in security features we’ve highlighted above, there are a range of tools that we recommend you consider implementing to further secure your organization. But we should note, security can, at times, come at the cost of convenience—so it’s important that you assess the needs of your organization, and estimate what the impact on productivity might be. 

To help you strengthen the security of your Microsoft 365 platform, we’ve compiled a list of recommendations that include a mixture of Microsoft features you can leverage, as well as third-party solutions you can invest in. Let’s run through them:

Regularly Back Up Your Data

Going back to the shared responsibility model, it’s up to you to create backups of your data—because, as we’ve covered, Microsoft doesn’t do so on your behalf.

Microsoft actually recommends using third-party apps and services to regularly back up your data in its Services Agreement, and we strongly recommend that you invest in a third-party backup and data recovery solution for effective restoration in the event of data loss.

See our guide to the Top Office 365 Backup And Recovery Solutions for further information. 

Implement Multi-Layered Email Security

When it comes to email security, Microsoft does have some protection in place—but bear in mind, they aren’t a dedicated email security provider.

We recommend implementing multi-layered security using dedicated third-party email security providers so you can make sure you leave no stone unturned with your security defenses.

See our guide to the Top Email Security Solutions For Microsoft 365 to find out more. 

Enable Multi-Factor Authentication (MFA) Across All Accounts

With MFA enabled, users will need to verify their identities using two or more factors of authentication before they’re granted access to their workplace account.

This means that, even if a user’s password is compromised, a hacker wouldn’t be able to breach their account without having access to the second factor of authentication, too. With Microsoft 365, your admins can configure rules that prompt users to set up MFA when logging in. 

Implement A Privileged Access Management (PAM) Solution

Criminals often target administrator accounts during breaches and attacks, as these come with privileges and features that can grant a hacker the ability to do more damage than they could inflict using a typical user account.

We recommend implementing a PAM solution that will monitor and control the activity of privileged users—including access to key systems.

For further information, check our guide to The Top PAM solutions.

Leverage Built-In Email Security Features

Making the most of the email security features included—such as EOP or Defender—requires active involvement from your admins to set up policies. Some of the features you can leverage include safe attachments, anti-phishing policies, and more. 

Check Your Microsoft Secure Score

Your secure score can be viewed via a centralized dashboard within the Microsoft 365 Security Center, and scores based on your overall security posture.

It also provides recommendations for further actions you can take—such as requiring MFA for all administrative roles—and increases your score upon completing these actions. 

Implement Security Awareness Training For All Employees

Technology alone isn’t enough to protect your organization from compromise. It’s crucial for your employees to both understand how to stay safe while using Microsoft 365 and recognize the risks they face daily, as well as instinctively know how to react to threats when faced with them.

Depending on the provider, security awareness training solutions often comprise of engaging training modules, phishing simulations, and user analytics.

See our guide to The Top Security Awareness Training solutions for more on this. 


So, can you depend on Microsoft 365 to keep your organization and data safe? We’d say yes. But it also requires involvement from yourself to act on the parts of the service that are under your responsibility. 

Microsoft will do their part to keep you secure when using Microsoft 365. But it’s down to you to do yours.