Implement DKE B2B scenarios

Published Mar 11 2021 01:00 PM 1,996 Views

Double Key Encryption (DKE) enables customers to protect their most confidential content using a key they control, thereby allowing them to comply with regulatory requirements. DKE ensures that Microsoft cannot access their data under any circumstances.

Most customers implementing DKE are trying to limit access to their most sensitive content to users of their own tenant. But some customers asked how DKE can also be used for B2B scenarios. This blog shows the additional steps for allowing Contoso to share DKE protected content with Fabrikam users.

Please observe that this blog post does not replace the official documentation for implementing DKE, it merely describes the additional steps required.



This section defines the technical prerequisites.

  1. The URL of the DKE service needs to be accessible both for Contoso and Fabrikam users.
  2. The DKE URL needs to be based on a DNS domain registered in the Azure AD tenant of your organisation. For instance, if you plan to use the URL for the DKE service, the DNS domain needs to be registered in your tenant. Please refer to our documentation for registering a custom domain.


Overview on the steps

Making DKE available for users of the Fabrikam tenant requires several steps:

  1. Adapt the app registration to allow «Multitenant» authentication, if that’s not already the case.
  2. Trusting the Fabrikam Azure AD tenant as valid token issuer and adding the email addresses of the Fabrikam users in the configuration file.
  3. Grant permissions to the Fabrikam users in the sensitivity label protection settings.
  4. Have a Fabrikam user access a DKE protected document as first step to grant consent.
  5. Ask the Fabrikam Global Admin to grant consent for accessing the DKE service on behalf of all Fabrikam users.

Details to these steps are provided in the following sections.


Make sure the app registration for DKE supports «Multitenant» authentication

If a DKE service were meant for users of your tenant exclusively, its app registration authentication may be limited to «single tenant».

But since the DKE content needs to be accessibly to users from the Fabrikam tenants, you have to select the option «Accounts in any organizational directory (Any Azure AD directory – Multitenant)», as shown here:



Changes required on the configuration file

You need to ensure both the home tenant and all tenants of your business partners are contained in the configuration file.

The following configuration file excerpt shows both Contoso and Fabrikam tenants are trusted:


Email addresses of the Fabrikam users also need to be included in the configuration file. The following excerpt from the configuration file shows how Adele Wilber from Fabrikam is also allowed to access the DKE service:



Make sure the sensitivity label grants permission to Fabrikam users

Fabrikam users may only access content from your tenant, if the respective label grants them access – this applies to DKE labels as well.

Here all users both from and may access data protected by the DKE label:



Initial steps for granting consent for users of the Fabrikam tenant

To initiate granting consent for Fabrikam users to the DKE service, a user of the Fabrikam tenant with normal privileges first needs to open a DKE protected document from Contoso.

This initial attempt is expected to fail, the user will see an exclamation mark besides the account in the title bar, indicating there’s an issue with the account. (Please observe that Contoso users opening content protected by their own DKE service do not get this experience.)

The user performs the following steps:

1. Click on the account in the title bar:


2. Select «Sign in» and re-authenticate as needed:


3. Accept requested permissions:



Global Admin of Fabrikam tenant grants consent for all tenant users

The following steps are needed by the Global Admin of the Fabrikam tenant in order to grant consent on behalf of his users:

1. Sign in to the Azure portal, open “Azure Active Directory” and select “Enterprise applications”.

2. Select the Contoso DKE app:


3. Select «Permissions»:


4. Select «Grant admin consent for Fabrikam»:


5. Re-authenticate as needed:


6. Accept permissions:


7. Refresh and verify the permissions are available:



Conclusion and next steps

After performing these steps, both Contoso and Fabrikam users may open DKE protected content by Contoso.
Please observe that Fabrikam users may not protect new content with the Contoso DKE service, they need to implement a DKE service of their own instead. If they intend to share DKE protected content with users from the Contoso tenant, they also need to go through the steps in this blog post.
If Contoso decides to share content with Woodgrove Bank as well, the steps described in this blog post need to be repeated with their tenant.

1 Comment
Version history
Last update:
‎May 11 2021 02:02 PM
Updated by: