Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft 365 provides baseline, volume-level encryption through BitLocker and Distributed Key Manager (DKM). Windows 365 Enterprise and Business Cloud PC disks are encrypted using Azure Storage server-side encryption (SSE).
To give you more control, Microsoft 365 also offers an added layer of encryption for your content through Customer Key. This content includes data from Microsoft Exchange, SharePoint, OneDrive, Teams, and Windows 365 Cloud PCs.
BitLocker isn’t supported as an encryption option for Windows 365 Cloud PCs. For details, see Using Windows 10 virtual machines in Intune.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
How service encryption, BitLocker, SSE, and Customer Key work together
Your Microsoft 365 data is always encrypted at rest using BitLocker and Distributed Key Manager (DKM). For details, see How Exchange secures your email secrets.
Customer Key adds extra protection against unauthorized access to your data. It complements BitLocker disk encryption and server-side encryption (SSE) in Microsoft data centers. Service encryption isn’t designed to block Microsoft personnel from accessing your data. Instead, Customer Key helps you meet compliance or regulatory requirements by letting you control the root encryption keys.
You explicitly authorize Microsoft 365 to use your encryption keys to deliver value-added services like eDiscovery, anti-malware, anti-spam, and search indexing.
Built on top of service encryption, Customer Key lets you provide and control encryption keys. Microsoft 365 uses these keys to encrypt your data at rest, as described in the Online Services Terms (OST). Because you control the encryption keys, Customer Key helps you meet compliance requirements.
Customer Key improves your ability to meet compliance standards that call for key control arrangements with your cloud provider. You provide and manage the root encryption keys for your Microsoft 365 data at rest at the application level. This setup gives you direct control over your organization’s encryption keys.
Customer Key with hybrid deployments
Customer Key encrypts only data at rest in the cloud. It doesn’t protect on-premises mailboxes or files. To protect on-premises data, use a separate method like BitLocker.
Learn about data encryption policies
A data encryption policy (DEP) defines the encryption hierarchy. Services use this hierarchy to encrypt data with both the keys you manage and the availability key that Microsoft protects. You create a DEP using PowerShell cmdlets, then assign it to encrypt application data.
Customer Key supports three types of DEPs. Each type uses different cmdlets and protects a different kind of data:
DEP for Multiple Microsoft 365 workloads
These DEPs encrypt data across several Microsoft 365 workloads for all users in the tenant. Workloads include:
- Windows 365 Cloud PCs. For details, see Microsoft Purview Customer Key for Windows 365 Cloud PCs
- Teams chat messages (1:1 chats, group chats, meeting chats, and channel conversations)
- Teams media messages (images, code snippets, video messages, audio messages, wiki images)
- Teams calls and meeting recordings stored in Teams storage
- Teams chat notifications
- Teams chat suggestions by Cortana
- Teams status messages
- Microsoft 365 Copilot interactions
- User and signal information for Exchange
- Exchange mailboxes that a mailbox DEP doesn’t encrypt
- Microsoft Purview Information Protection:
- Exact Data Match (EDM) data, including data file schemas, rule packages, and the salts used to hash sensitive data
- For EDM and Teams, the DEP encrypts new data starting from when you assign it to the tenant.
- For Exchange, Customer Key encrypts all existing and new data.
- Sensitivity label configurations
- Exact Data Match (EDM) data, including data file schemas, rule packages, and the salts used to hash sensitive data
Multi-workload DEPs don’t encrypt the following types of data. This data is protected using other encryption methods in Microsoft 365:
- SharePoint and OneDrive data
- Teams files and some Teams calls and meeting recordings saved in SharePoint or OneDrive (encrypted by the SharePoint DEP)
- Teams Live Event data
- Workloads not supported by Customer Key, such as Viva Engage and Planner
You can create multiple DEPs per tenant but assign only one at a time. Encryption begins automatically after assignment, though completion time depends on tenant size.
DEPs for Exchange mailboxes
Mailbox DEPs give you more control over individual Exchange Online mailboxes. You can use them to encrypt data in UserMailbox, MailUser, Group, PublicFolder, and Shared mailboxes.
You can have up to 50 active mailbox DEPs per tenant. You can assign one DEP to multiple mailboxes, but only one DEP per mailbox.
By default, Exchange mailboxes are encrypted using Microsoft-managed keys. When you assign a Customer Key DEP:
- If a mailbox is already encrypted using a multi-workload DEP, the service rewraps it with the mailbox DEP the next time a user or system accesses the data.
- If a mailbox is encrypted with Microsoft-managed keys, the service rewraps it with the mailbox DEP when accessed.
- If a mailbox isn’t yet encrypted, the service marks it for a move. Encryption happens after the move. Mailbox moves follow Microsoft 365-wide priority rules. For details, see Move requests in the Microsoft 365 service. If a mailbox isn’t encrypted in time, contact Microsoft.
You can later refresh the DEP or assign a different one as described in Manage Customer Key for Office 365.
Each mailbox must meet licensing requirements to use Customer Key. For more info, see Before you set up Customer Key.
You can assign DEPs to shared, public folder, and group mailboxes as long as your tenant meets the licensing requirements for user mailboxes. You don’t need separate licenses for non-user-specific mailboxes.
You can also request that Microsoft purge specific DEPs when leaving the service. For details on purging and revoking keys, see Revoke your keys and start the data purge path process.
When you revoke access to your keys, Microsoft deletes the availability key. This deletion results in cryptographic deletion of your data, helping you meet compliance and data remanence requirements.
DEP for SharePoint and OneDrive
This DEP encrypts content stored in SharePoint and OneDrive, including Teams files stored in SharePoint.
- If you use the multi-geo feature, you can create one DEP per geo.
- If not, you can only create one DEP per tenant.
For setup instructions, see Set up Customer Key.
Encryption ciphers used by Customer Key
Customer Key uses different encryption ciphers to protect keys, as shown in the following diagrams.
The key hierarchy used for DEPs that encrypt data across multiple Microsoft 365 workloads is similar to the one used for individual Exchange mailboxes. The corresponding Microsoft 365 Workload Key replaces the Mailbox Key.
Encryption ciphers used to encrypt keys for Exchange
Encryption ciphers used to encrypt keys for SharePoint and OneDrive
