Azure Data Protection Practices

Access to customer data by Microsoft operations and support personnel is denied by default. Once access to customer data is granted, management approval is required and access is carefully managed and recorded. Access control requirements are established by the following Azure security policies:

  • By default, there is no access to client data.
  • Client virtual machines (VMs) do not have a user or administrator account.
  • Grant the minimum privileges needed to complete the task. Audit and logging of access requests.

Azure Support Staff is assigned a single Enterprise Active Directory account by Microsoft. Azure leverages Microsoft Enterprise Active Directory managed by Microsoft Information Technology (MSIT) to control access to leading information systems. Multifactor authentication is required and access is only allowed from a secure console.

 Azure allows customers to encrypt data and manage keys, and safeguards customer data for applications, platform, system, and storage using three specific methods: encryption, segregation, and destruction.






Data Isolation

Azure is a multitenant service, meaning that multiple customers’ deployments and virtual machines are stored on the same physical hardware.

Protecting Data At Rest

Azure offers a wide range of encryption capabilities, giving customers the flexibility to choose the solution that best meets their needs. Azure Disk Encryption is a capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage. SQL Database TDE is based on SQL Server’s TDE technology, which encrypts the storage of an entire database by using an industry-standard AES-256 symmetric key called the database encryption key. SQL Database protects this database encryption key with a service-managed certificate. All key management for database copying, Geo-Replication, and database restores anywhere in SQL Database is handled by the service.

Protecting Data In Transit

For data in transit, customers can enable encryption for traffic between their own VMs and end users. Azure protects data in transit, such as between two virtual networks. Azure uses industry-standard transport protocols such as TLS between devices and Microsoft datacenters, and within datacenters themselves.


Customers can encrypt data in storage and in transit to align with best practices for protecting confidentiality and data integrity. For data in transit, Azure uses industry-standard transport protocols between devices and Microsoft datacenters and within datacenters themselves. You can enable encryption for traffic between your own virtual machines and end users.

Data Redundancy

Customers may opt for in-country storage for compliance or latency considerations or out-of-country storage for security or disaster recovery purposes. Data may be replicated within a selected geographic area for redundancy.

Data Destruction

When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before reuse. As part of our agreements for cloud services such as Azure Storage, Azure VMs, and Azure Active Directory, we contractually commit to specific processes for the deletion of data.