Microsoft has added four security measures to Office 365 to help businesses keep their data secure. Two of the measures are focused on compliance and the other two offer better identity protection.

Are four new measures at once a bit much? Not if you consider things like the recent Anthem breach.

Microsoft’s drive to ensure Office 365 security and compliance is nothing new. But with the number of high profile information breaches growing, everyone responsible for enterprise data is a bit edgy.

Keeping Data Safe

Microsoft recently overhauled Office 365’s security, with a heavy emphasis on multi-factor authentication. This came only weeks after Microsoft plugged a cross-site vulnerability in Office 365 that could have exposed data to hackers.

In that instance, the vulnerability was exposed by Alan Byrne, co-founder of Internet security firm Cogmotive, not by Microsoft itself.

Given the spread of Office 365 in the enterprise pace, even one such incident could do irreparable damage to the brand. So it's not surprising that Microsoft is anxious to make a lot of noise about Office 355 security enhancements. To that end, Office 365 is now compliant with ISO 27018 and with HITRUST.

ISO 27018

ISO 27018 establishes a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. There are three big commitments enabled by these controls:

  1. Office 365 is advertising-free so customers don’t have to worry that their data will be used for advertising or marketing purposes
  2. There are defined policies for the return, transfer and secure disposal of PII
  3. Office 365 proactively discloses the identities of sub-processors


The Health Information Trust Alliance — HITRUST — was formed to provide an actionable set of controls designed to protect electronic protected health information. Microsoft said its Office 365 team, in partnership with an independent assessor, successfully completed an assessment of its compliance with HITRUST. It received a rating of five, the highest rating possible.

Other Measures

Microsoft introduced two other security measures that were previously only available to subscribers to its Enterprise Mobility Suite and Azure Active Directory (AD) Premium subsections.

page and Access Panel

This enables enterprises to build their own Sign-In page as well as the Azure AD Access Panel, where users pick an application to sign into. As of today, users will be able to customize the page using text, images and coloring of their choosing, making them more difficult to copy.

This is in addition to the Office 365 tenant branding that can be used to apply custom text, color and images for the Office 365 service as shown after sign-in.

Cloud user self-service password reset

2015 2 19 Offfice 365 password set.jpgThe other feature, which surprisingly hasn’t been made available until now, is a self-service password reset. This makes the process of resetting passwords much easier and possible without the help of an administrator.

This functionality is available for Office 365 users who are cloud-based only and do not require write back of the updated password to an on-premises server.