Announcing public preview of Double Key Encryption for Microsoft 365

Published 07-21-2020 08:00 AM 22.8K Views

The prevalence of remote work in today’s environment relies heavily on the sharing of information, challenging organizations to drive productivity while maintaining data privacy and regulatory compliance. Organizations in highly regulated industries such as financial services and healthcare face additional challenges. Some of their data (e.g., trade secrets, patents, and financial algorithms) needs the highest level of protection and controls. Failure to protect this mission-critical data not only tarnishes a company’s reputation, but can lead to a loss of customer trust and cost millions of dollars. It is more important than ever to maintain control of your highly sensitive data and prevent third-party access to it.


Microsoft 365 provides built-in data protection by encrypting customer data, both at rest and in transit. For added protection, we encrypt customer data at the application layer and provide flexible key management solutions. Customers can further protect their data based on content using Microsoft Information Protection’s classification and labeling capabilities. Adding to our data protection solutions, we are pleased to announce the public preview of Double Key Encryption for Microsoft 365. Double Key Encryption helps organizations protect their mission-critical data - a small volume of their overall data.


Highly regulated industries are increasingly focused on enhancing their data protection and privacy programs due to the rising threat of data breaches and identity theft[1]. In 2019, more than 60 percent of all leaked records exposed were those of financial services organizations[2], and healthcare organizations saw a 37 percent increase in data breaches[3]. With Microsoft Information Protection, we provide customers with a broad set of capabilities that helps them meet most of their data protection needs for organization-wide data. With Double Key Encryption for Microsoft 365, we now enhance the depth of protection for highly sensitive data to meet specialized requirements.


Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.  


With Double Key Encryption, you can:

  • Maintain full control of your key
  • Enjoy a consistent labeling experience
  • Simplify deployment


Maintain full control of your key

You can host the Double Key Encryption service used to request your key, in a location of your choice (on-premises key management server or in the cloud) and maintain it as you would any other application. Double Key Encryption puts you in control by providing you the ability to add necessary access controls to the Double Key Encryption service, and the flexibility to store the encrypted data on-premises or in the cloud. You can move your highly sensitive data to the cloud and be confident about preventing third-party access as you maintain full control of your key. Double Key Encryption allows you to store your data and key in the same location and help meet regulatory requirements across several regulations and standards such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.


Enjoy a consistent labeling experience

Storing your highly sensitive data in an on-premises infrastructure typically results not only in high costs, but an inconsistent user experience across different systems. Double Key Encryption uses the Azure Information Protection unified labeling client to provide a consistent labeling experience across your data estate. Admins and users with required permissions can create labels with Double Key Encryption in the Microsoft 365 compliance center, just like they can for any other sensitivity label type. Once the label is created, admins can assign policies to the labels in the Microsoft 365 compliance center. Users can protect their data by selecting the Double Key Encrypted label in the Sensitivity ribbon in Microsoft Office, providing a consistent experience.


DKE pic 1.png

 Figure 1: Creating a label with Double Key Encryption in the Microsoft 365 compliance center


DKE pic 3.png

 Figure 2: Labeling with Double Key Encryption in Word


Simplify deployment

Organizations often store their mission-critical data on-premises to maintain control and prevent unauthorized access. Implementing on-premises data storage and protection solutions warrants heavy investments in talent and resources to deploy, integrate, and maintain the complicated infrastructure. We are simplifying the deployment process for the Double Key Encryption service by providing implementation code with detailed instructions. You can access the code and instructions by cloning the Double Key Encryption repository from GitHub and update it with your tenant or on-premises Active Directory and public and private keys. Once your Double Key Encryption service is deployed and verified, you will be ready to create labels and protect your mission-critical data.


Get started today

Double Key Encryption is available as part of the Microsoft 365 E5 and Office 365 E5 suite. If you don’t have a Microsoft 365 E5 license, you can sign up for a trial. To get started with Double Key Encryption, navigate to GitHub to clone this repository and set up the Double Key Encryption service. To learn more, see this documentation on Double Key Encryption.


[1] Cap Gemini: Data privacy in financial services industry

[2] Infosecurity Magazine: Financial services breaches

[3] Infosecurity Magazine: Healthcare data breaches


Occasional Contributor

@Benjy Levin Is this applicable to only documents labelled using "Data Classification" or Emails as well ? 

Senior Member



MIP and OME uses the same RMS service in the background for protection/encryption. You should be able to deploy the Sensitivity Label, that uses the Double Key Encryption (I expect it's an RMS Template) to Exchange Online.
But keep in mind that this will be very tricky with external receipients, as you will need to authorize them to access your key to be able to read encrypted mails. Not sure you want that though :)

For Emails, I think it is better to stay with OME and/or S/MIME (for internal receipients, which actually is the most safe option in regards to third party access to encrypted mails compared to OME = RMS with MS Managed Key)

Occasional Visitor

Is this an development based on "Customer Key"? Will it replace "Customer Key"?


@GeorgW this is unrelated to Customer Key. It is more related to HYOK - Hold Your Own Key. 


@dipendas1979 as part of this Public Preview, we have currently only announced support for documents (WXP files).

Occasional Visitor

@Benjy Levin : Ok, I see. So "Customer Key" offers the customer to bring his key (BYOK) to the encryption in the Cloud and "Double Key Encryption" give the customer the option to hold his key (HYOK) for the encryption in the Cloud anywhere he want.

Established Member

@GeorgW Customer Key is for O365 service encryption of data-at-rest. Double Key Encryption is a new option for Azure Information Protection and sort of a hybrid between BYOK and HYOK for AIP.


@Benjy Levin DKE works like a charm and really add value for regulated customer. I've tested using Mobile app (Office WORD, EXCEL ...) but seems that native mobile apps are not aware of DKE. When this will work with the mobile app ? Can it work on Microsoft E3 or Azure Information Protection P2 at least ? 

Senior Member



What's the best way to verify the use of DKE within a protected document?

How can I verify if the DKE was applied with success to the document/email?




@andrevrodrigues you can open the document in notepad and search for "Microsoft.DKE.Key" -- the presence of this would mean that the document was protected using DKE. Alternatively, you can try opening the content in an older version of Office that does not support DKE and should see a failure when trying to decrypt the content. 

Senior Member

Hi @Benjy Levin, thank you for your message, but I had a problem at the moment, I can't even apply a label with the DKE to the documents.

Every time I try I get multiple errors on a different scenarios:

Create a new Word doc - "Word cannot save or create this file. Make sure that the disk you want to save the file on is not full, write-protected, or damaged".

Substitute older label to DKE label in a doc. - The document can't save successfully.

Apply a label to pdf file - I can't open after, even being Owner


I have:

  • Microsoft 365 Apps for enterprise
  • Enterprise Mobility + Security E5


I already refresh the templates, multiple times.


@andrevrodrigues please ensure that you are using the correct version of the Office Client that supports DKE as per

and that you have configured your DKE service correctly, and modified the registry key settings for the Office Clients as mentioned in the documentation. If you have any further issues or require additional assistance, please reach out to our IP community on Yammer or open a support ticket. 


@andrevrodrigues , I know when this kind of errors may happens

- user has no access to your DKE endpoint

- issue on the keys access control

your DKE endpoint is not configured correctly on your Azure tenant for user_imporsonation or callback URL maybe wrong


Senior Member

@Benjy Levin I cannot find the specific path, as indicated:


[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\flighting] -> I only have the CurrentVersion, which is 1.0.4114.0 and Server

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\flighting] -> I only have the CurrentVersion, OfficeClientVersion, which is 1.0.2456.0, RMSOServerVerification and Server.

Senior Member

@duokey I have Service Administrator role on app service and i'm Owner on App registration.


"your DKE endpoint is not configured correctly on your Azure tenant for user_imporsonation or callback URL maybe wrong" - how can I validate?

I follow all the steps at the Microsoft Docs: Double Key Encryption (DKE) - Microsoft 365 Compliance | Microsoft Docs

Not applicable

@Benjy Levin  has this gone into GA now?


@Deleted Yes! See for more info. 

Senior Member

Hi @Benjy Levin,


In the available documentation about DKE configuration, there is no reference about migrating BYOK protected files to DKE labels, is it possible? As documented for HYOK protected files.




@andrevrodrigues yes this relabeling should be compatible with DKE-based labels.

Version history
Last update:
‎May 11 2021 02:03 PM
Updated by: