Blog Post

Microsoft Teams Blog
2 MIN READ

Customer Key support for Microsoft Teams now Generally Available!

Microsoft_Teams_team's avatar
May 13, 2021

Service encryption with Microsoft 365 Customer Key
Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM) which ensures customer data is always encrypted at rest in the Microsoft 365 service with BitLocker and DKM. Microsoft 365 offers an added layer of encryption at the application layer for content, including data from Exchange Online, SharePoint Online, OneDrive, and Teams, called service encryption.


Microsoft 365 Customer Key is built on service encryption, providing a layer of encryption at the application layer for data-at-rest and allows the organization to provide and control the encryption keys used to encrypt customer data in Microsoft’s datacenters. Customer Key provides an additional protection against viewing of data by unauthorized systems or personnel, complimenting BitLocker disk encrypted in Microsoft datacenters. Customer Key enhances the ability of organizations to meet the demands of compliance requirements that specify key arrangements with the cloud service provider, assisting customers in meeting regulatory or compliance obligations for controlling root keys.

Microsoft 365 Customer Key now supports Microsoft Teams!
After providing the keys, Microsoft 365 then uses the provided keys to encrypt data at rest as described in the Online Services Terms (OST). The organization can create a data encryption policy (DEP) and assign it to encrypt certain Microsoft 365 data for all tenant users. While multiple DEPs can be created per tenant, only one DEP can be assigned at a time. For customers already using Customer Key for Exchange Online and SharePoint online, data encryption policies add broader control and now includes support for Microsoft Teams! Once a DEP is created and assigned, it will encrypt the following data for all tenant users:

  • Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)
  • Teams media messages (images, code snippets, video messages, audio messages, wiki images)
  • Teams call and meeting recordings stored in Teams storage
  • Teams chat notifications, Teams chat suggestions by Cortana, Teams status messages
  • User and signal information for Exchange Online
  • Exchange Online mailboxes that aren't already encrypted using mailbox level DEPs
  • Microsoft Information Protection exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data)

When a DEP is assigned, encryption begins automatically but will take some time to complete depending on size of the tenant. For Microsoft Information Protection and Teams, Customer Key DEP encrypts new data from the time of DEP assignment. We are working to bring support to encrypting past data. For Exchange Online, the DEP starts encrypting all existing and new data.
For more details on using Microsoft 365 Customer Key across multiple workloads and how to get started, please see Service encryption with Customer Key.

 

Customer Key support for Microsoft Teams is currently available in general commercial and government commercial clouds only.

Updated Aug 04, 2021
Version 2.0
  • Very welcome addition 🙂 Teams team (no pun intended ;-D) is so awesome!!!

  • ctd-dc's avatar
    ctd-dc
    Copper Contributor

    Question:  If we already make use of a policy assigned to all mailboxes, which as we understand includes Teams information, what does this recently announced functionality provide?  Does it cover Teams data not exclusively stored in the mailbox?  Thanks for your efforts re. data encryption.  The other announcement about E2E is well received!

  • ctd-dc correct, it covers more Teams data than was previously available thru Customer Key for Exchange, SharePoint + OneDrive. Thanks for the positive feedback!

  • Microsoft_Teams_team  I could not find the steps to implement this in the technet article Manage Customer Key - Microsoft 365 Compliance | Microsoft Docs. If I have already implement customers keys with Exchange Online mailbox and SPO/ODFB/Teams files is this step still necessary? I'd assume for this exercise i will need to assign another customer key for Teams but the steps are not documented in technet. One more thing, will apply this to impact production users on Teams?  Appreciate the response

  • Does it mean that Teams call recording data which is stored temporarily for 21 days in Teams storage will also be encrypted with Customer Key at rest?