If a user could gain direct access to the storage containing the data, the content isn’t interpretable to a human or any system other than SharePoint Online. For example, when a user uploads a file to SharePoint Online, the file is disassembled, translated into application code, and stored in multiple tables across multiple databases.
It stores objects as abstracted code within application databases. SharePoint Online has several independent mechanisms that provide data isolation. Content isn’t partitioned per tenant, but multi-tenancy is enforced through RBAC.
Skype for Business stores data in various places: Content in tenant A can’t in any way be obtained by users in tenant B, unless explicitly approved by tenant A. The mailboxes for each tenant are limited to identities authenticated against the tenant's authentication provider, which includes only users from that tenant. The access control list (ACL) that secures a mailbox contains an identity authenticated by Azure AD at the tenant level. By default, only the assigned user has access to a mailbox. An authorization code secures each mailbox, including within a tenancy. User mailboxes include saved Skype for Business content, such as conversation histories.Įach mailbox database within Exchange Online contains mailboxes from multiple tenants. This includes user mailboxes, linked mailboxes, shared mailboxes, and public folder mailboxes. Mailboxes are hosted within Extensible Storage Engine (ESE) databases called mailbox databases.
Exchange OnlineĮxchange Online stores customer data within mailboxes. SharePoint Online uses both SQL Server storage and Azure Storage, hence the need for extra isolation of customer data at the storage level. Exchange Online (including Exchange Online Protection) and Skype for Business use their own storage for customer data. Microsoft 365 uses both physical storage and Azure cloud storage. The federated model used within Microsoft 365 and Azure AD provides the shared view of the data. Azure AD is the "system of truth" for shared data, which is typically small and static data used by every service. Microsoft 365 services cooperate with Azure AD in this data model. Specific systems own individual pieces of data, but no single system holds all the data. Within this model, there’s no single source of directory data. In addition to the directory information held within Azure AD, each of the service workloads have their own directory services infrastructure. At a high level, Azure AD and the service directories are the containers of tenants and recipients kept in sync using state-based replication protocols. Azure Active Directory (Azure AD) and Microsoft 365 use a highly complex data model that includes tens of services, hundreds of entities, thousands of relationships, and tens of thousands of attributes.