GA of Customer Key in Office 365 at Ignite
Published Oct 10 2017 10:02 AM 17.4K Views

Many customers have shared that they need to meet compliance obligations that specify key management arrangements with their cloud service provider.


At Ignite, we announced general availability of Customer Key in Office 365, which enables customers to provide and control their own encryption keys used to encrypt their Office 365 data at-rest.


With Customer key, customers are in control of their keys and can exercise the ability to revoke the keys to make their data unreadable to the service, and initiate the path towards data deletion. This can help organizations meet a wide array of compliance obligations, even in a few regulatory pockets around the world that specify that customers need to provide and control their own encryption keys.


Since Customer Key is built on top of service encryption, customers also receive an added layer of protection on top of BitLocker, and a more granular level of control in Office 365. For instance, in Exchange Online, you can have up to 50 data encryption policies corresponding to different mailbox groups, and in SharePoint Online and One Drive for Business, you can have encryption policies per tenant, or per geography for a multi-geo tenant.


Due to the risk of data destruction, Customer Key also offers an availability key, which provides a strong key escrow model in case keys are lost or stolen for increased data integrity and availability. However, if the customer revokes their keys, the availability key is destroyed along with the customers' data as part of the data deletion process.


For audit and assurance, customers can verify Customer Key activity through PowerShell and validate Customer Key controls through upcoming independent third party SOC audits (report available Fall 2017 for Exchange Online and Spring 2018 for SharePoint Online and OneDrive for Business).


Get Started Today!


Eligible Microsoft 365 E5 customers can start using Customer Key or learn how to try or buy a Microsoft 365 subscription


As mentioned above there are serious risks that come with managing your own encryption keys. Be sure to review all the suggested content below, which can help clarify some common misunderstandings of customer-managed encryption keys such as BYOK, HYOK and any other *YOK solutions, and help mitigate many of the common mismanagement errors that we have seen. 



Lastly, Office 365 uses a variety of technologies to enable customers to protect and control their data, including multiple encryption solutions that encrypt customers' data in-transit and at-rest. Get acquainted with Customer Key and the different encryption technologies through the resources provided below.


Let us know what you think and engage with us here on TechCommunity!




Caroline Shin


Customer Key Resources            


Office 365 Encryption Resources



4/29/20: Updated licensing statement. For more detailed view on eligible licenses go here

Version history
Last update:
‎Apr 29 2020 08:39 AM
Updated by: