Share via


What is Microsoft 365 service encryption?

In addition to using volume-level encryption, Exchange Online, Microsoft Teams, SharePoint Online, OneDrive for Business, and Windows 365 Cloud PCs also use service encryption to encrypt customer data.

Service encryption allows for two key management options, Microsoft-managed keys and customer-managed keys.

Service encryption provides multiple benefits:

  • Provides a layer of protection for all Microsoft 365 services and Windows 365 Cloud PCs. For Microsoft 365 services, service encryption is an extra layer of protection is on top of BitLocker.

  • Provides separation of Windows operating system administrators from access to application data stored or processed by the operating system.

  • Includes a Customer Key option that enables multitenant services to provide per-tenant key management.

  • Enhances the ability of Microsoft 365 and Windows 365 to meet your specific compliance requirements regarding encryption.

What are Microsoft-managed keys?

By default, Microsoft manages all cryptographic keys including the root keys for service encryption. This option, called Microsoft-managed keys, is enabled by default for Exchange Online, SharePoint Online, OneDrive for Business, and Windows 365 Cloud PCs. Microsoft-managed keys provide default service encryption unless you decide to onboard using Customer Key. If, at a later date, you decide to stop using Customer Key without following the data purge path, then your data stays encrypted using the Microsoft-managed keys. Your data is always encrypted at this default level at a minimum.

What is Customer Key?

Customer Key is a customer-managed key solution. With Customer Key, you supply root keys used with service encryption and you manage these keys using Azure Key Vault while Microsoft manages all other keys. Customer Key is available for Exchange, SharePoint and OneDrive for Business, and Windows 365 Cloud PCs (Enterprise and Frontline modes).

Windows 365 support for Microsoft Purview Customer Key is generally available, including Windows 365 Frontline (Dedicated and Shared).

Using Customer Key, you generate your own cryptographic keys. You can use an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV) to generate your keys. AKV lets you control and manage the cryptographic keys used by Microsoft 365. Customer Key uses the keys stored in the AKV as the root of one of the key chains that encrypts your mailbox data or files.

Customer Key provides you with more control over how Microsoft processes your data. For example, You can use Customer Key as a technical control if you want to terminate service with Microsoft or remove a portion of your data stored in the cloud. Removing data ensures no one, including Microsoft, can access or process the data. Customer Key is in addition and complementary to Customer Lockbox that you use to control access to your data by Microsoft personnel.

To learn how to set up Customer Key for Exchange Online, Microsoft Teams, SharePoint Online, including Team Sites, and OneDrive for Business, see these articles: