Office 365 security and compliance


Applies to: Office 365 Enterprise, Office 365 Midsize Business

Topic Last Modified: 2016-05-04

Microsoft Office 365 is designed to help meet your organization’s needs for content security and data usage compliance with legal, regulatory, and technical standards. Setting up policies and enabling services that optimize these conditions is an important part of administering Office 365. To establish a secure and compliant Office 365 work environment that meets your organization’s requirements, you may want to learn more about the staples of security and compliance described in this topic.

The following table describes the Office 365 features that are available to help you with fulfill your organization’s security and compliance needs.


Feature Description

Office 365 Security & Compliance Center

You can use the Office 365 Security & Compliance Center to manage compliance across Office 365, Exchange Online, and SharePoint Online. You can manage archive mailboxes, eDiscovery cases, auditing reports, and retention and deletion polices in Exchange Online and SharePoint Online. You can also assign permissions to compliance managers in your organization so they can access some or all of the compliance features in the Security & Compliance Center.

Office 365 Import Service

Use the Office 365 Import Service to import PST files to Exchange Online mailboxes or import data files to your SharePoint Online organization. For both types of files, you can upload the files over the network or copy them to a hard drive and then ship the drive to a Microsoft datacenter, where the data will be imported to Office 365.

Anti-spam and anti-malware protection in Office 365

Office 365 has built-in malware and spam filtering capabilities that help protect inbound and outbound email messages from malicious software and help protect you from spam. You don’t need to set up or maintain the filtering technologies, which are enabled by default, but you can make company-specific filtering customizations.

Archiving in Office 365

Archiving allows you to manage information lifecycle in Office 365 by automatically archiving older and infrequently accessed content, and removing older content after it’s no longer required. It includes archive mailboxes, retention policies, Overview of document deletion policies and records management.

Auditing in Office 365

You can use the auditing functionality in Office 365 to track changes made to your Exchange Online configuration by Microsoft and by your organization’s administrators and changes made by users to documents and other items in the site collections of your SharePoint Online organization. After you turn on auditing to capture admin and user actions, you can view audit reports and export the audit logs.

Data loss prevention in Office 365

Data loss prevention (DLP) helps you protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information (PII) such as credit card numbers, social security numbers, or health records. With a data loss prevention (DLP) policy, you can identify, monitor, and automatically protect sensitive information across Office 365.

eDiscovery in Office 365

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery in Office 365 to search for content in Exchange Online mailboxes, SharePoint Online sites, or both. Using eDiscovery, you can identify, hold, and export content found in Exchange mailboxes and SharePoint sites.

Encryption in Office 365

Office 365 Message Encryption is an easy-to-use service that lets email users send encrypted messages to people inside or outside their organization.

Hold in Office 365

Hold allows you to preserve or archive content for compliance and eDiscovery. The types of hold include Overview of preservation policies in the Office 365 Security & Compliance Center and In-Place Hold and Litigation Hold in Exchange Online.

Inactive mailboxes in Office 365

An inactive mailbox is used to preserve a former employee's email after he or she leaves your organization. A mailbox becomes inactive when a Litigation Hold or an In-Place Hold is placed on the mailbox before the corresponding Office 365 user account is deleted. The contents of an inactive mailbox are preserved for the duration of the hold that was placed on the mailbox before it was made inactive. Administrators, compliance officers, or records managers can use eDiscovery in Office 365 to access and search the contents of an inactive mailbox.

Information management policies in Office 365

An information management policy is a set of rules for a type of content. In SharePoint Online, information management policies enable organizations to control and track things like how long content is retained or what actions users can take with that content. Predefined policies include retention policies, expiring out-of-date content, and auditing of document usage.

You can use site policies to help control site proliferation. A site policy defines the lifecycle of a site by specifying when the site will be closed and when it will be deleted.

Information Rights Management

Information Rights Management (IRM) helps prevent sensitive information from being printed, forwarded, saved, edited, or copied by unauthorized people.

Legacy Exchange Hosted Services

Information about transition from the following legacy Exchange hosted services:

  • Exchange Hosted Archiving (EHA)

  • Exchange Hosted Encryption (EHE)

  • Forefront Online Protection for Exchange (FOPE)

Mobile Device Management in Office 365

You can use Office 365 to secure and manage any device that uses Exchange ActiveSync to sync with your organization’s email, calendar, contacts, and tasks. Using the Office 365 and Exchange admin centers, you can perform common mobile device management tasks like setting device access rules, viewing device reports, and remotely wiping devices that are lost or stolen.

Transport Rules in Office 365

Using transport rules, you can look for specific conditions in messages that pass through your organization and take action on them. Transport rules let you apply your business policies to email messages and they can help you secure messages, protect messaging systems, and prevent information loss. You can use the Exchange Admin Center or Windows PowerShell to manage transport rules.