One of the concerns that keep many companies from adopting software-as-a-service for e-mail and other collaboration services has been the issue of who has control over the security of the content. Today at the RSA Conference, Microsoft is announcing changes to its Office 365 service that will allay some of those concerns, giving customers greater visibility into the security of their applications and control over what happens with them. At the same time, it will potentially be harder for government agencies and law enforcement to secretly subpoena the contents of an organization’s e-mail.

Office 365 will now include a “Customer Lockbox” feature that puts customer organizations in control of when Microsoft employees can gain access to their data, requiring explicit permission from a customer before systems can be accessed to perform any sort of service on their Office 365 services. The capability will be turned on by the end of 2015 for e-mail and for SharePoint by the end of the first quarter of 2016.

Microsoft is also extending its file-level encryption of data at rest in Office 365 to Exchange e-mail; previously, only files in SharePoint had file-level encryption. And the implementation of that file-level protection is an intermediate step to Microsoft’s next big security improvement—the ability for customers to provide their own encryption keys for content, to be delivered sometime in 2016.

And while Microsoft has provided Office 365 customers with a variety of activity logging, the company is preparing to release an application programming interface that will allow customers and third-party developers to tap more deeply into management and security event data to both visualize activity and automate workflow for security tasks. Several third-party developers have already built integration hooks for their platforms based on the API, which will be made more widely available in a private preview program this summer.