GA of Customer Key in Office 365 at Ignite

Many customers have shared that they need to meet compliance obligations that specify key management arrangements with their cloud service provider.


At Ignite, we announced general availability of Customer Key in Office 365, which enables customers to provide and control their own encryption keys used to encrypt their Office 365 data at-rest.


With Customer key, customers are in control of their keys and can exercise the ability to revoke the keys to make their data unreadable to the service, and initiate the path towards data deletion. This can help organizations meet a wide array of compliance obligations, even in a few regulatory pockets around the world that specify that customers need to provide and control their own encryption keys.


Since Customer Key is built on top of service encryption, customers also receive an added layer of protection on top of BitLocker, and a more granular level of control in Office 365. For instance, in Exchange Online, you can have up to 50 data encryption policies corresponding to different mailbox groups, and in SharePoint Online and One Drive for Business, you can have encryption policies per tenant, or per geography for a multi-geo tenant.


Due to the risk of data destruction, Customer Key also offers an availability key, which provides a strong key escrow model in case keys are lost or stolen for increased data integrity and availability. However, if the customer revokes their keys, the availability key is destroyed along with the customers' data as part of the data deletion process.


For audit and assurance, customers can verify Customer Key activity through PowerShell and validate Customer Key controls through upcoming independent third party SOC audits (report available Fall 2017 for Exchange Online and Spring 2018 for SharePoint Online and OneDrive for Business).


Get Started Today!


Customer Key is available as part of the Office 365 Enterprise Suite called E5, or the Advanced Compliance SKU. Separately, customers must purchase the appropriate Azure Key Vault licenses to protect and manage their cryptographic keys.


As mentioned above there are serious risks that come with managing your own encryption keys. Be sure to review all the suggested content below, which can help clarify some common misunderstandings of customer-managed encryption keys such as BYOK, HYOK and any other *YOK solutions, and help mitigate many of the common mismanagement errors that we have seen. 



Lastly, Office 365 uses a variety of technologies to enable customers to protect and control their data, including multiple encryption solutions that encrypt customers' data in-transit and at-rest. Get acquainted with Customer Key and the different encryption technologies through the resources provided below.


Let us know what you think and engage with us here on TechCommunity!




Caroline Shin


Customer Key Resources            


Office 365 Encryption Resources



You might want to address the BYOK/HYOK debacle here :)


The Ignite sessions were great btw, kudos to the presenters and the team!

Great post and great news to some customers like banks for example !


@Vasil Michev Thanks for the feedback! We will need to do another post on that topic. In the meantime I edited the post to call this out. Thanks for the shout out to the team!  


Occasional Contributor

Any updates on BYOK for SPO? If its a different page, please link a direct answer. The BYOK page is very vague and does not address SPO. Thanks!


Hi Caroline,


Its a great post, but we need some clarify around how mailbox administration is different when customer keys are applied. Example i have a customer who wants to restrict access to set of O365 mailboxes on which we have customer key enabled to be accessible only to admins who have the keys?


There seems to be no content impact of this enabling feature around Outlook access etc..