Double Key Encryption (DKE) enables customers to protect their most confidential content using a key they control, thereby allowing them to comply with regulatory requirements. DKE ensures that Microsoft cannot access their data under any circumstances.
Most customers implementing DKE are trying to limit access to their most sensitive content to users of their own tenant. But some customers asked how DKE can also be used for B2B scenarios. This blog shows the additional steps for allowing Contoso to share DKE protected content with Fabrikam users.
Please observe that this blog post does not replace the official documentation for implementing DKE, it merely describes the additional steps required.
This section defines the technical prerequisites.
Making DKE available for users of the Fabrikam tenant requires several steps:
Details to these steps are provided in the following sections.
If a DKE service were meant for users of your tenant exclusively, its app registration authentication may be limited to «single tenant».
But since the DKE content needs to be accessibly to users from the Fabrikam tenants, you have to select the option «Accounts in any organizational directory (Any Azure AD directory – Multitenant)», as shown here:
You need to ensure both the home tenant and all tenants of your business partners are contained in the configuration file.
The following configuration file excerpt shows both Contoso and Fabrikam tenants are trusted:
Email addresses of the Fabrikam users also need to be included in the configuration file. The following excerpt from the configuration file shows how Adele Wilber from Fabrikam is also allowed to access the DKE service:
Fabrikam users may only access content from your tenant, if the respective label grants them access – this applies to DKE labels as well.
Here all users both from contoso.com and fabrikam.com may access data protected by the DKE label:
To initiate granting consent for Fabrikam users to the DKE service, a user of the Fabrikam tenant with normal privileges first needs to open a DKE protected document from Contoso.
This initial attempt is expected to fail, the user will see an exclamation mark besides the account in the title bar, indicating there’s an issue with the account. (Please observe that Contoso users opening content protected by their own DKE service do not get this experience.)
The user performs the following steps:
1. Click on the account in the title bar:
2. Select «Sign in» and re-authenticate as needed:
3. Accept requested permissions:
The following steps are needed by the Global Admin of the Fabrikam tenant in order to grant consent on behalf of his users:
1. Sign in to the Azure portal, open “Azure Active Directory” and select “Enterprise applications”.
2. Select the Contoso DKE app:
3. Select «Permissions»:
4. Select «Grant admin consent for Fabrikam»:
5. Re-authenticate as needed:
6. Accept permissions:
7. Refresh and verify the permissions are available:
After performing these steps, both Contoso and Fabrikam users may open DKE protected content by Contoso.
Please observe that Fabrikam users may not protect new content with the Contoso DKE service, they need to implement a DKE service of their own instead. If they intend to share DKE protected content with users from the Contoso tenant, they also need to go through the steps in this blog post.
If Contoso decides to share content with Woodgrove Bank as well, the steps described in this blog post need to be repeated with their tenant.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.