PII except for user email addresses is encrypted at rest.
The Azure Virtual Appliance (AVA) ingests users’ Office 365 work data from the Microsoft Graph API. The AVA does not persist the bodies or message headers of emails/calendar events; it only persists the relevant metadata it needs to function. All user PII except for user email addresses is encrypted at rest. Internal services communicate with each other either through HTTP requests or through message queues. Encryption in transit for internal traffic between AVA services (entirely within the customer tenant) is on the roadmap but not implemented in the current version. All secrets and keys are stored and maintained with Azure Key Vault.