The E5 edition also offers a service called Customer Key, which allows organizations to use their own encryption keys to manage stored data. Administrators can selectively delete keys, making any associated data illegible to the service.

While most of these tools apply to how administrators manage the service, one thing journalists may appreciate for day-to-day work is Office 365 Message Encryption, available to E3 and E5 users. This feature allows users to selectively send a secure email, so that only the recipient can read it. Even Microsoft can’t read these encrypted emails.

It’s possible to host some Microsoft services on-premises, meaning that your organization can manage the physical server yourselves. When you own the server, you are responsible for its security and safety, which may introduce new risks. On-premises Microsoft servers are also designed to tightly integrate with Microsoft’s remote services, so storing the server in your building doesn’t necessarily mean your data is private. But this does introduce some opportunities to control where your organization physically stores your data.

Microsoft provides options to selectively withhold your sensitive on-premises data, with Hold Your Own Key (HYOK). What does this mean? If your organization’s administrator thinks something in your Office 365 emails, documents, files, or websites should not be exposed to Microsoft, they can apply a policy to set it up that way. This is not something an ordinary journalist would do with their personal documents, but rather, controlled by your administrator. Because documents protected by HYOK are encrypted, however, they will not be easily searchable through the cloud like ordinary documents within your Office 365 domain.

Physical protections

Microsoft’s data centers are pretty locked down.

Microsoft says that they provide several protections at their data centers. Employees must request permission to enter the data center with appropriate business justification, and provide the appropriate keycard, as well as biometric authentication with a handprint. Employees will only have access to the relevant part of the data center. Closed-circuit television cameras inside and outside data centers, recording at all hours. The company logs and audits who comes in and out. Likewise, their servers monitor for unexpected changes in the software.

While we know a lot about the data centers themselves, we don’t have quite as much information about how these rules work in practice. We don’t know how many people at Microsoft have access to user data, what kind of data, and under what circumstances. When Microsoft is compelled to share user data for a legal request, how many people have access in practice? We don’t know.

What we can say is that Microsoft has said in their security documentation that they constrain access to “essential personnel,” log employee access to user data, and conduct both internal and external audits on employee access.

What can government agencies see?

In the United States, government agencies can compel U.S. communications providers to disclose information about their users, including Microsoft.

The most common type of request, a subpoena, may yield valuable data about the user’s account. This includes the IP address and connection history, which can be used for a rough estimation of the user’s location and patterns of movement. Microsoft calls this “non-content” data.

The content of a user’s account (e.g., the words in an email, or a document in Microsoft’s cloud) generally requires a warrant.

According to Microsoft's law enforcement requests report, in the first half of 2019, the company received 4860 U.S. requests for 14273 accounts, complying with roughly 87% of those requests. However, the number associated with Enterprise cloud customers is much lower.

“In the first half of 2019, Microsoft received 74 requests from law enforcement around the world for accounts associated with enterprise cloud customers. In 32 cases, these requests were rejected, withdrawn, no data, or law enforcement was successfully redirected to the customer. In 42 cases, Microsoft was compelled to provide responsive information: 22 of these cases required the disclosure of some customer content and in 20 of the cases we were compelled to disclose non-content information only. Of the 22 instances that required disclosure of content data, 15 of those requests were associated with U.S. law enforcement.”

When it comes to Office 365 data, the company says it “redirects government requests for your data to be made directly to you unless legally prohibited and has challenged government attempts to prohibit disclosure of such requests in court.” (Indeed, they have.)

In most cases, Microsoft says courts generally do redirect such requests to enterprise customers. What does this mean?

When Microsoft receives a request for your organization’s user data they will probably redirect the request to your organization, so at least you’ll know about it. But in an unlucky minority of cases, your organization may never be informed if they are the subject of such requests.

While there’s no shortage of cases where Microsoft has been compelled to share user data with U.S. agencies, we have not yet seen a publicly disclosed case where a media organizations’ user data has specifically been requested by, or granted to the U.S. government. Time will tell!

What can your employer see?

It’s safe to assume your administrator can see nearly anything you do in Office 365. Global administrators — basically, whoever set up your Office 365 domain — can see most activity within your Microsoft services. They can also selectively share this access, giving other users administrative powers as well.

Office 365 offers several versions for both Business and Enterprise — you can see all of the differences here and here [1]. In both, Microsoft offers a few tiers of service, each with additional services and tools for analyzing an organization’s user data. Generally, the Enterprise editions offer customers the greatest visibility into users’ data. The highest Enterprise tier, which Microsoft calls E5, offers analytical tools and the greatest visibility into Office 365 users’ activities, followed by the E3 edition.

Office 365 versions E3 and E5 both offer audit logs, allowing administrators to monitor activities within their organization for the previous 90 days. These are records for virtually all activities in an Office 365 domain — for example, when someone logs in, opens or modifies a document, or reads an email.

Administrators can monitor user activity in OneDrive (where documents and files are stored), Outlook, SharePoint, Active Directory, and several other services. Logs may include other forms of metadata, including users’ IP addresses. Administrators can also obtain push notifications for targeted activity.

This visibility may help organizations monitor for behavior they believe is suspicious.