You control your data. When you put your data in OneDrive, you remain the owner of the data. For more info about the ownership of your data, see Office 365 Privacy by Design.
See this training course to learn about OneDrive features that you can use to protect your files, photos and data: Secure, protect and restore OneDrive
How you can safeguard your data
Here are some things you can do to help protect your files in OneDrive:
Create a strong password. Check the strength of your password.
Add security info to your Microsoft account. You can add info like your phone number, an alternate email address, and a security question and answer. That way, if you ever forget your password or your account gets hacked, we can use your security info to verify your identity and help you get back into your account. Go to the Security info page.
Use two-factor verification. This helps protect your account by requiring you to enter an extra security code whenever you sign in on a device that isn’t trusted. The second factor can be made through a phone call, text message, or app. For more info about two-step verification, see How to use two-step verification with your Microsoft account.
Enable encryption on your mobile devices. If you have the OneDrive mobile app, we recommend that you enable encryption on your iOS or Android devices. This helps to keep your OneDrive files protected if your mobile device is lost, stolen, or someone gains access to it.
Subscribe to Microsoft 365. An Microsoft 365 subscription gives you advanced protection from viruses and cybercrime, and ways to recover your files from malicious attacks.
How OneDrive protects your data
Microsoft engineers administer OneDrive using a Windows PowerShell console that requires two-factor authentication. We perform day-to-day tasks by running workflows so we can rapidly respond to new situations. No engineer has standing access to the service. When engineers need access, they must request it. Eligibility is checked, and if engineer access is approved, it's only for a limited time.
Additionally, OneDrive and Office 365, strongly invests in systems, processes, and personnel to reduce the likelihood of personal data breach and to quickly detect and mitigate consequence of breach if it does occur. Some of our investments in this space include:
Access control systems: OneDrive and Office 365 maintain a “zero-standing access” policy, which means that engineers do not have access to the service unless it is explicitly granted in response to a specific incident that requires elevation of access. Whenever access is granted it is done under the principle of least privilege: permission granted for a specific request only allows for a minimal set of actions required to service that request. To do this, OneDrive and Office 365 maintain strict separation between “elevation roles,” with each role only allowing certain pre-defined actions to be taken. The “Access to Customer Data” role is distinct from other roles that are more commonly used to administer the service and is scrutinized most heavily before approval. Taken together, these investments in access control greatly reduce the likelihood that an engineer in OneDrive or Office 365 inappropriately accesses customer data.
Security monitoring systems and automation: OneDrive and Office 365 maintain robust, real-time security monitoring systems. Among other issues, these systems raise alerts for attempts to illicitly access customer data, or for attempts to illicitly transfer data out of our service. Related to the points about access control mentioned above, our security monitoring systems maintain detailed records of elevation requests that are made, and the actions taken for a given elevation request. OneDrive and Office 365 also maintain automatic resolution investments that automatically act to mitigate threats in response to issues we detect, and dedicated teams for responding to alerts that cannot be resolved automatically. To validate our security monitoring systems, OneDrive and Office 365 regularly conduct red-team exercises in which an internal penetration testing team simulates attacker behavior against the live environment. These exercises lead to regular improvements to our security monitoring and response capabilities.
Personnel and processes: In addition to the automation described above, OneDrive and Office 365 maintain processes and teams responsible for both educating the broader organization about privacy and incident management processes, and for executing those processes during a breach. For example, a detailed privacy breach Standard Operating Procedure (SOP) is maintained and shared with teams throughout the organization. This SOP describes in detail the roles and responsibilities both of individual teams within OneDrive and Office 365 and centralized security incident response teams. These span both what teams need to do to improve their own security posture (conduct security reviews, integrate with central security monitoring systems, and other best practices), and what teams would need to do in the event of an actual breach (rapid escalation to incident response, maintain and provide specific data sources that will be used to expedite the response process). Teams are also regularly trained on data classification, and correct handling and storage procedures for personal data.
The major takeaway is that OneDrive and Office 365, for both consumer and business plans, strongly invest in reducing the likelihood and consequences of personal data breach impacting our customers. If a personal data breach does occur, we are committed to rapidly notifying our customers once that breach is confirmed.
Protected in transit and at rest
Protected in transit
When data transits into the service from clients, and between datacenters, it's protected using transport layer security (TLS) encryption. We only permit secure access. We won't allow authenticated connections over HTTP, but instead redirect to HTTPS.
Protected at rest
Physical protection: Only a limited number of essential personnel can gain access to datacenters. Their identities are verified with multiple factors of authentication including smart cards and biometrics. There are on-premises security officers, motion sensors, and video surveillance. Intrusion detection alerts monitor anomalous activity.
Network protection: The networks and identities are isolated from the Microsoft corporate network. Firewalls limit traffic into the environment from unauthorized locations.
Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The Microsoft Security Response Center helps triage incoming vulnerability reports and evaluate mitigations. Through the Microsoft Cloud Bug Bounty Terms, people across the world can earn money by reporting vulnerabilities.
Content protection: Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.
Highly available, always recoverable
Our datacenters are geo-distributed within the region and fault tolerant. Data is mirrored into at least two different Azure regions, which are at least several hundred miles away from each other, allowing us to mitigate the impact of a natural disaster or loss within a region.
We constantly monitor our datacenters to keep them healthy and secure. This starts with inventory. An inventory agent performs a state capture of each machine.
After we have an inventory, we can monitor and remediate the health of machines. Continuous deployment ensures that each machine receives patches, updated anti-virus signatures, and a known good configuration saved. Deployment logic ensures we only patch or rotate out a certain percentage of machines at a time.
The Microsoft 365 "Red Team" within Microsoft is made up of intrusion specialists. They look for any opportunity to gain unauthorized access. The "Blue Team" is made up of defense engineers who focus on prevention, detection, and recovery. They build intrusion detection and response technologies. To keep up with the learnings of the security teams at Microsoft, see Security Office 365 (blog).
Additional OneDrive security features
As a cloud storage service, OneDrive has many other security features. Those include:
Virus scanning on download for known threats - The Windows Defender anti-malware engine scans documents at download time for content matching an AV signature (updated hourly).
Suspicious activity monitoring - To prevent unauthorized access to your account, OneDrive monitors for and blocks suspicious sign-in attempts. Additionally, we’ll send you an email notification if we detect unusual activity, such as an attempt to sign in from a new device or location.
Ransomware detection and recovery - As an Microsoft 365 subscriber, you will get alerted if OneDrive detects a ransomware or malicious attack. You’ll be able to easily recover your files to a point in time before they were affected, up to 30 days after the attack. You can also your restore your entire OneDrive up to 30 days after a malicious attack or other types of data loss, such as file corruption, or accidental deletes and edits.
Version history for all file types - In the case of unwanted edits or accidental deletes, you can restore deleted files from the OneDrive recycle bin or restore a previous version of a file in OneDrive.
Password protected & expiring sharing links - As an Microsoft 365 subscriber, you can keep your shared files more secure by requiring a password to access them or setting an expiration date on the sharing link.
Mass file deletion notification and recovery - If you accidentally or intentionally delete a large number of files, we will alert you and provide you with steps to recover those files.
Personal Vault is a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.1 Your locked files in Personal Vault have an extra layer of security, keeping them more secured in case someone gains access to your account or your device. Personal Vault is available on your PC, on OneDrive.com, and on the OneDrive mobile app, and it also includes the following features:
Scan directly into Personal Vault - You can use the OneDrive mobile app to take pictures or shoot video directly into your Personal Vault, keeping them off less secure areas of your device—such as your camera roll.2 You can also scan important travel, identification, vehicle, home, and insurance documents directly into your Personal Vault. And you’ll have access to these photos and documents wherever you go, across your devices.
BitLocker-encryption - On Windows 10 PCs, OneDrive syncs your Personal Vault files to a BitLocker-encrypted area of your local hard drive.
Automatic locking - Personal Vault automatically relocks on your PC, device, or online after a short period of inactivity. Once locked, any files you were using will also lock and require re-authentication to access.3
Together, these measures help keep your locked Personal Vault files protected even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it.
1 Face and fingerprint verification requires specialized hardware including a Windows Hello capable device, fingerprint reader, illuminated IR sensor, or other biometric sensors and capable devices.
2 The OneDrive app on Android and iOS requires either Android 6.0 or above or iOS 12.0 and above.
3 Automatic locking interval varies by device and can be set by the user.
Need more help?
Go to the OneDrive UserVoice.