How to Ensure Files Shared Across Borders Using Microsoft 365 are Encrypted
How to Ensure Files Shared Across Borders Using Microsoft 365 are Encrypted
As organizations expand their global footprint and embrace hybrid work, secure cross-border file sharing becomes critical to safeguarding sensitive data. Microsoft 365 is a productivity powerhouse for distributed teams, but ensuring files shared within this environment are properly encrypted requires more than relying on defaults—especially when data moves between countries with differing regulations.
This article equips IT, security, and compliance leaders with a step-by-step approach to maximize encryption, minimize risk, and streamline compliance across Microsoft 365 for cross-border collaboration. From understanding encryption protocols and configuring advanced controls to leveraging built-in features and educating users, you’ll learn exactly how to maintain confidentiality, integrity, and availability for every file—no matter where or how it’s shared.
Executive Summary
Main idea: Configure and govern Microsoft 365 encryption, labeling, and access controls so files remain encrypted and compliant when shared across borders.
Why you should care: Cross-border sharing raises data sovereignty, data privacy, and breach risks. Getting encryption and data governance right protects intellectual property, accelerates global secure collaboration, and simplifies data compliance obligations.
Key Takeaways
-
Automate protection with sensitivity labels. Configure labels to apply encryption and access rules that persist across borders, reducing manual error and ensuring consistent protection in multinational collaboration.
-
Use Customer-Managed Keys for sovereignty. Store keys in-region with Azure Key Vault to meet residency requirements, enable rapid key rotation, and maintain ownership over cryptographic material.
-
Tighten external sharing controls. Require identity verification, disable “Anyone” links for sensitive data, and apply time-bound permissions to keep cross-border access limited and auditable.
-
Enforce geo-aware policies and access. Use DLP, Conditional Access, and admin policies to trigger encryption and step-up authentication for cross-border scenarios, high-risk locations, and external recipients.
-
Sustain security with audits and training. Regular reviews and targeted user education reduce misclassification, ensure configurations remain effective, and maintain compliance as regulations evolve across jurisdictions.
Strategic Overview
For global enterprises, the best solution for encrypted file sharing combines seamless usability with enterprise-grade security, regulatory compliance, and centralized governance.
Microsoft 365, with its integrated encryption features and advanced key management options, meets these demands when configured and managed proactively.
By deploying the right controls and instilling best practices, organizations can ensure secure file sharing across continents and teams—without sacrificing productivity or compliance.
Cross-border considerations—such as data sovereignty, regional key placement, and geo-specific access controls—should be embedded into configuration and governance from the start.
What Are the Best Secure File Sharing Use Cases Across Industries?
Encryption in Microsoft 365
Encryption is the foundation of secure file sharing in Microsoft 365. In this ecosystem, encryption protects both data at rest (stored on Microsoft servers) and data in transit (moving between users or devices).
Microsoft 365 uses the Advanced Encryption Standard (AES) for data at rest and TLS for data in transit, ensuring multilayered protection for files, chats, and emails. These protections apply regardless of where collaborators are located, preserving confidentiality during cross-border transfers and access.
Every file uploaded to SharePoint, OneDrive, or sent via Outlook email is encrypted at rest, with AES 256 encryption keys uniquely generated for each file chunk. This compartmentalization reduces risk even if a single key is ever compromised.
For organizations with heightened compliance needs, customer-managed keys (CMK) enable storing and controlling encryption keys in Azure Key Vault—critical for industries with strict regulatory requirements and for meeting in-country key residency expectations in cross-border use cases.
Encryption Standards Used for Data at Rest and in Transit
Microsoft 365 employs industry-leading encryption standards to guarantee confidentiality at all stages:
-
Data at rest: Files are protected by AES 256 encryption, with distinct keys for each file segment.
-
Data in transit: TLS/SSL protocols automatically encrypt files and communications as they move across SharePoint, OneDrive, Teams, and Exchange.
AES (Advanced Encryption Standard) is a symmetric block cipher algorithm widely regarded as the gold standard for encrypting digital data worldwide.
Microsoft 365 further mitigates risk by utilizing Perfect Forward Secrecy, ensuring that compromise of one session’s key does not affect others, and by generating per-file and per-chunk encryption keys.
Role of Customer-Managed Keys for Enhanced Control
Customer-managed keys (CMK) provide organizations with the ability to store cryptographic keys in their own Azure Key Vault, rather than relying solely on Microsoft. This approach offers:
-
Key rotation and revocation on demand
-
Faster, granular response to emerging threats
When to choose which model?
| Key Management Option | Best For | Operational Implications |
|---|---|---|
| Microsoft-managed keys | Default, simplicity, low-touch | Minimal admin, less granular control |
| Customer-Managed Keys (CMK) | Regulated industries, extra control | Requires Azure Key Vault, more admin effort |
Organizations handling highly sensitive data or operating under stringent regulatory frameworks benefit most from CMK, as it allows them to respond immediately to key compromise or policy changes and maintain full ownership of cryptographic material. For cross-border collaboration, CMK also helps satisfy data residency and data sovereignty requirements by placing keys in-region while preserving global productivity.
Important Distinction: Customer-managed Keys vs. Customer-owned Keys
While CMK places the encryption keys in your Azure Key Vault and under your administrative control, Microsoft 365 services are authorized to use those keys to decrypt and process data in order to deliver the service. As a result, Microsoft may still be in a position to produce customer content in response to lawful demands, consistent with its legal obligations and policies, unless you revoke access to the keys or employ additional controls.
Customer-managed keys (Microsoft 365): Keys are created and stored in your Azure Key Vault, and you control rotation and revocation. However, Microsoft services can use the keys you authorize to decrypt data for service operations, which means data may be subject to lawful access requests.
Customer-owned keys (Kiteworks): Keys never leave your control, and Kiteworks cannot access them to decrypt your content. This model helps ensure that the provider cannot produce plaintext data to third parties without your participation, reducing lawful-access exposure and supporting strict data sovereignty requirements.
Leverage Built-In Microsoft 365 Encryption Features
Microsoft 365 includes robust, user-friendly encryption capabilities that, when activated, make secure file sharing effortless for end users. Sensitivity labels and Azure Rights Management (Azure RMS) are central to this automation, ensuring encryption is consistently applied based on file classification and organizational policy. These protections persist with files as they traverse borders, sustaining control throughout the information lifecycle.
Using sensitivity labels to apply automatic encryption
Sensitivity labels are metadata tags assigned to files, emails, and documents in Microsoft 365 to classify and enforce security policies such as encryption and restricted sharing.
When configured, sensitivity labels can:
-
Automatically encrypt files and emails in SharePoint, OneDrive, and Exchange
-
Allow secure sharing with external users, specifying precise permissions
-
Trigger Data Loss Prevention (DLP) policies for regulatory compliance
| Label Type | Encryption | Watermarking | Restricted Forwarding | External Sharing Controls |
|---|---|---|---|---|
| Public | Off | No | No | Open |
| Confidential | On | Yes | Yes | Controlled |
| Restricted | On | Yes | Yes | Highly Restricted |
This policy-based approach eliminates manual guesswork and ensures data is always protected according to its sensitivity.
Configuring Azure Rights Management protections
Azure Rights Management (Azure RMS) is a cloud-based protection technology providing encryption, identity, and authorization controls that persist with files and emails across devices—even after sharing externally.
To enable Azure RMS:
-
Access the Microsoft Purview compliance portal.
-
Activate Azure RMS for all users or specific security groups.
-
Customize policies to prevent downloads, limit printing, or restrict sharing.
-
Test protections by sharing files internally and externally.
Azure RMS is especially valuable in sectors like healthcare and financial services, where persistent protection must follow files beyond the corporate border.
Configure Microsoft 365 Encryption Settings
Configuring, monitoring, and auditing encryption in Microsoft 365 is vital for ongoing protection. Centralized controls ensure end-to-end encryption (E2EE) for emails and attachments, minimizing human error and automating compliance.
Enabling end-to-end encryption for emails and attachments
End-to-end encryption is a security process that ensures only communicating parties can access the content of a message or file, protecting it from interception at every stage of transmission.
In Microsoft 365, E2EE shields both the message body and attachments in transit. To activate:
-
Open the Microsoft 365 Admin Center and Exchange Admin Center.
-
Navigate to mail flow > rules; create a rule to apply E2EE to messages with specific sensitivity labels or keywords.
-
Enable E2EE for chosen groups, departments, or organization-wide.
-
Test and validate the configuration by sending encrypted test emails.
This setup ensures sensitive communications are private, compliant, and auditable.
Setting encryption policies in the Microsoft 365 admin center
The Microsoft 365 Admin Center offers granular controls to enforce encryption:
-
Define DLP trigger rules to automatically encrypt files/emails containing sensitive data.
-
Customize policies by user group or department, based on risk profile.
-
Audit and report breaches or exceptions using built-in compliance dashboards.
Encryption Policy Checklist:
-
Review all default encryption and sharing settings.
-
Tailor policies for different departments or roles.
-
Enable alerts for encryption policy violations or unusual activity.
-
Schedule regular reviews of policy effectiveness and compliance.
-
Add geo-aware conditions (location, country, region) to DLP and Conditional Access so cross-border sharing enforces stricter encryption and access controls.
Share Files Securely Through Trusted Microsoft 365 Channels
To guarantee files remain encrypted and secure, always use approved Microsoft 365 platforms—SharePoint, OneDrive, and Teams—for internal and external sharing. These platforms apply encryption automatically, support metadata and co-authoring, and integrate with compliance controls.
Using SharePoint, OneDrive, and Microsoft Teams with encryption
-
SharePoint & OneDrive: Every file is encrypted with unique AES keys, stored separately from the data itself, maximizing confidentiality.
-
Teams: TLS is used by default for all file transfers and communications, ensuring only intended recipients can access content.
| Platform | Encryption Protocols | Default Settings | External Guest Restrictions |
|---|---|---|---|
| SharePoint | AES 256, TLS | Encryption always on | Can restrict by site or file |
| OneDrive | AES 256, TLS | Encryption always on | Controlled sharing, link expiration |
| Teams | TLS (files, chat), AES | Encryption always on | Can limit guest access, require MFA |
Managing external sharing securely with identity verification
For sensitive content, external sharing should be tightly controlled:
-
Require recipients to authenticate via Microsoft/Google account or a one-time passcode.
-
Prohibit “Anyone with the link” sharing for confidential or regulated data.
-
Govern sharing links and permissions centrally, leveraging DLP and sensitivity labels to prevent accidental or malicious exposure.
-
Apply stricter controls for cross-border recipients, including time-bound access, least-privilege permissions, and location-based restrictions.
These measures ensure only verified, authorized individuals can access shared, encrypted files.
Implement Device and Access Security Controls
Encryption alone is not enough—secure access and device compliance further protect sensitive files. Zero trust architecture models, device encryption, and multi-factor authentication (MFA) create a layered defense.
Zero-trust access is a security model that never automatically trusts users or devices; it requires identity verification and continuous authorization before granting any resource access.
Deploying mobile device management policies for encrypted access
Mobile Device Management (MDM) policies ensure only secure, compliant devices access Microsoft 365 data:
-
Configure MDM in Microsoft Intune or a similar solution.
-
Require device encryption and compliance before granting access to files.
-
Monitor devices for suspicious activity and block compromised endpoints.
MDM reduces risk from lost or stolen devices and helps prevent unprotected data leaks.
Enforcing zero-trust access and multi-factor authentication
Conditional Access policies in Microsoft Entra (Azure AD) enforce strong identity and access controls:
-
Require MFA for all users accessing encrypted files.
-
Enforce strong password policies and session timeouts.
-
Validate device compliance before granting access.
-
Incorporate location conditions to enforce step-up authentication or block access from high-risk geographies during cross-border collaboration.
These controls provide essential assurance that only trusted users and devices can access sensitive, encrypted content.
Educate Teams and Enforce Encryption Best Practices
Technology alone cannot guarantee security—ongoing user education and regular audits are essential to sustain encryption best practices effectiveness and compliance.
Training users on secure sharing protocols and encryption importance
Regular training empowers staff to:
-
Use sensitivity labels appropriately.
-
Recognize and classify sensitive files.
-
Report suspicious sharing activity.
Visual guides, “Do’s and Don’ts,” and bite-sized infographics can drive awareness and reduce risky behaviors, including the extra diligence required for cross-border sharing and regulatory obligations.
Establishing regular audits and reviews of encryption configurations
An encryption audit is a structured review process in which an organization assesses its policies, settings, and controls to confirm all sensitive data shares are appropriately encrypted and that logs are accurately maintained.
Basic audit checklist:
-
Review sharing and encryption settings in the admin center.
-
Validate that sensitivity labels, RMS/Azure protections, and DLP are active.
-
Generate reports on compliance and any policy exceptions.
-
Address findings and document actions.
-
Verify data location, access patterns across regions, and adherence to residency requirements.
Routine audits help identify vulnerabilities, maintain compliance, and ensure encryption policies remain fit for purpose as the business evolves.
How Kiteworks Bolsters Microsoft 365 to Empower Secure Cross-Border File Sharing
Kiteworks augments Microsoft 365 with a native add-in that layers additional security, governance, and compliance controls onto Outlook, Office, SharePoint, and Teams workflows—without disrupting user productivity.
-
Microsoft Office 365 plugin for Secure File Sharing: Users send and receive files from Outlook and Office while Kiteworks automatically replaces attachments with governed, encrypted links. Policies for access, expiration, watermarking, and DLP are enforced consistently, and all activity is centrally logged to support audits across borders. Learn more: https://www.kiteworks.com/platform/simple/microsoft-office-365/
-
Phishing and Malware Risk Reduction for Microsoft Ecosystem: Offloading external file delivery to Kiteworks reduces exposure to spoofed Microsoft-branded links and weaponized attachments. Strong recipient verification, threat scanning, and secure-link delivery harden Microsoft 365 against credential theft and ransomware attacks. Learn more: https://www.kiteworks.com/secure-file-sharing/microsoft-is-a-magnet-for-phishing-attacks/ | https://www.kiteworks.com/platform/simple/secure-file-sharing/
-
Centralized Governance, Sovereignty, and Key Ownership: Even when content originates in Microsoft 365, Kiteworks applies geo-specific controls, unified logging, and customer-owned key encryption to keep providers out of your data. This helps satisfy data residency mandates and limits lawful-access exposure while preserving collaboration. Learn more: https://www.kiteworks.com/platform/private-data-network/ | https://www.kiteworks.com/platform/compliance/data-sovereignty/
By adding these layered controls through the Microsoft Office 365 plugin, Kiteworks helps multinational teams move data confidently across borders without sacrificing compliance, security, or productivity.
To learn more about Kiteworks for enhancing secure file sharing when using Microsoft 365, schedule a custom demo today.
Frequently Asked Questions
Organizations can use Customer-Managed Keys, allowing them to control their encryption keys in Azure Key Vault for enhanced compliance and security.
Encryption is maintained for files stored and shared within Microsoft 365, but downloaded files lose automatic protection and should be safeguarded with additional controls or solutions.
Best practices include enabling both at-rest and in-transit encryption, using sensitivity labels, managing encryption keys, routinely auditing encryption policies, and educating users about secure file sharing.
Sensitivity labels automatically apply encryption and restrict access based on file classification, ensuring that only authorized individuals can view or edit sensitive content.
Additional Resources