Microsoft (Nasdaq “MSFT” @microsoft) is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more.


Thales TCT integrates with numerous Microsoft products to provide federal customers with best-of-breed security solutions meeting all necessary standards and compliance requirements.


Thales data discovery and classification, advanced encryption and centralized key management solutions give you protection and control of data stored on your premises, in Microsoft Azure, and other cloud providers. Thales technology enables you to:

  • Avoid cloud vendor encryption lock-in and ensure the data mobility you need while you efficiently and securely spread workloads and data across multiple cloud vendors, including Microsoft Azure, with centralized, independent encryption management
  • Take secure advantage of Azure Key Vault with centralized key management that spans multiple clouds
  • Identify attacks faster with data access logging to industry-leading SIEM applications
  • Reduce or eliminate risks arising from compromised credentials with advanced encryption including privileged user access controls
  •  Architect applications for the cloud with built-in security using vaultless tokenization with dynamic data masking

Active Directory Federation Services (AD FS) is a tool installed on Windows servers that provides users throughout an enterprise with single sign-on (SSO) access to network and cloud-based resources. AD FS verifies user identities based on an exchange of private and secure information generated from a variety of authentication technologies–including certificate-based authentication, OTP, OOB, and pattern-based authentication–generated from a wide variety of form factors, such as hardware, software, or mobile tokens. When users authenticate to AD FS, they need only sign in once to then receive access to multiple web applications over the life of a single online session.

Thales TCT Luna T-Series HSMs integrate with AD FS to secure the token signing and certificate private keys. Preserving the token signing and certificate keys in Luna HSM, organizations preserve the integrity of the authentication transaction. Since these materials never leave the hardware appliance, unauthorized users never have access to the materials they would need to steal to impersonate an authorized user. When Luna HSM serve as the secure root of the SSO infrastructure, organizations can rest assured that identity verification transactions will be uncompromised.

Thales authentication solutions integrate with AD FS, enabling organizations to implement strong authentication for AD FS supported clients and web-based applications, such as Office 365. Acting as the trusted identity provider, the SafeNet portfolio of authentication solutions extend Active Directory identities to AD FS-supported environments. Thales solutions provide a wide range of authentication methods. Additionally, SafeNet authentication solutions integrate with the Thales AD FS agent to provide the authentication mechanism for its SSO features. Through the AD FS agent, organizations can implement strong authentication policies for AD FS supported clients and web-based applications.

Active Directory Certificate Services (ADCS) is a management tool for the administration of cryptographic materials used in public key infrastructures (PKI). More specifically, ADCS is the service that provides the core functionality for Windows Server’s certification authority (CA). Certificates enhance security by assigning the identity of a person, device, or service to a specific private key to ensure proper identity verification during sensitive cryptographic transactions. For organizations that rely on PKI, ADCS offers a cost-effective, efficient, secure way to manage the distribution and use of these certificates.

Fundamental to the integrity of this infrastructure is the CA’s root cryptographic signing key, which is used to sign the public keys of certificate holders and its own public key. The compromise of a CA’s root key either by malicious intent or by accident can have catastrophic consequences. Best practice dictates that this root-signing key be diligently stored in a tamper-proof hardware security module (HSM).

Organizations that use AD CS in their infrastructure can store their encryption keys and certificates in Thales TCT’s Luna T-Series HSM.


Microsoft Online Certificate Status Protocol (OCSP) is used to validate a certificate’s status in real-time. Using OCSP, administrators manage and distribute revocation status information on certificates in PKI environments. OCSP integrates with  Luna T-Series HSM to verify, and revoke if necessary, certificates residing in the hardware security module.

Microsoft SQL Server is a powerful relational database that enables organizations to scale operations with confidence, improve IT and developer efficiency, and effectively manage business intelligence on a self-service basis. With SQL Server, enterprises can process large volumes of data in fractions of a second making data mining and near-instant insights easy.

Thales TCT Luna T-Series HSMs integrates with Microsoft SQL Servers to securely store encryption keys and manage such cryptographic operations as key creation, deletion, SQL encryption, and SQL decryption. Thales TCT HSMs addition allows administrators to store SQL server’s master cryptographic keys within a protected hardware appliance and not on the same software platform where encrypted data is stored. Verifiable audit trails act as a deterrent and serve as evidence that keys are properly managed and secured throughout their entire lifecycle to make demonstrating compliance easier.

In addition to the Thales TCT Luna Network HSM, the high-assurance Thales TCT Luna PCIe HSM can also be integrated directly in the Microsoft SQL Server.

Votiro + Microsoft 365

Votiro proactively removes malware threats from Office
365 email content and attachments, without significantly delaying email delivery. Votiro’s patented Content Disarm and Reconstruction-as-a-Service technology identifies the known-good elements of files, selecting them and moving them to a clean file template in a single, seamless process.