Service encryption with Microsoft 365 Customer Key Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM) which ensures customer data is always encrypted at rest in the Microsoft 365 service with BitLocker and DKM. Microsoft 365 offers an added layer of encryption at the application layer for content, including data from Exchange Online, SharePoint Online, OneDrive, and Teams, called service encryption.
Microsoft 365 Customer Key is built on service encryption, providing a layer of encryption at the application layer for data-at-rest and allows the organization to provide and control the encryption keys used to encrypt customer data in Microsoft’s datacenters. Customer Key provides an additional protection against viewing of data by unauthorized systems or personnel, complimenting BitLocker disk encrypted in Microsoft datacenters. Customer Key enhances the ability of organizations to meet the demands of compliance requirements that specify key arrangements with the cloud service provider, assisting customers in meeting regulatory or compliance obligations for controlling root keys.
Microsoft 365 Customer Key now supports Microsoft Teams! After providing the keys, Microsoft 365 then uses the provided keys to encrypt data at rest as described in the Online Services Terms (OST). The organization can create a data encryption policy (DEP) and assign it to encrypt certain Microsoft 365 data for all tenant users. While multiple DEPs can be created per tenant, only one DEP can be assigned at a time. For customers already using Customer Key for Exchange Online and SharePoint online, data encryption policies add broader control and now includes support for Microsoft Teams! Once a DEP is created and assigned, it will encrypt the following data for all tenant users:
Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)
Teams media messages (images, code snippets, video messages, audio messages, wiki images)
Teams call and meeting recordings stored in Teams storage
Teams chat notifications, Teams chat suggestions by Cortana, Teams status messages
User and signal information for Exchange Online
Exchange Online mailboxes that aren't already encrypted using mailbox level DEPs
Microsoft Information Protection exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data)
When a DEP is assigned, encryption begins automatically but will take some time to complete depending on size of the tenant. For Microsoft Information Protection and Teams, Customer Key DEP encrypts new data from the time of DEP assignment. We are working to bring support to encrypting past data. For Exchange Online, the DEP starts encrypting all existing and new data. For more details on using Microsoft 365 Customer Key across multiple workloads and how to get started, please see Service encryption with Customer Key.