Announced at the last Ignite and now a bit later in Public Preview, the feature has already been used by some companies to bring in their own key (BYOK) and use it for Microsoft Teams. Now this feature is generally available:
Customer Key for Microsoft Teams (Service Encryption)
In addition to volume-level encryption (AtRest / Bitlocker), Microsoft Teams, Exchange Online and SharePoint Online/OneDrive for Business also use service encryption.
This service encryption has two variants
Microsoft managed key
The Customer Key variant is now generally available and can be used for Microsoft Teams.
How does it work?
As a customer, you can bring in the master key that is used with the service encryption using the Azure Key Vault. This is called Bring-Your-Own-Key, in which the key is brought in by the customer and stored in their Azure Key Vault.
Using Customer Key, you can generate your own cryptographic keys using a local Hardware Service Module (HSM) or Azure Key Vault (AKV). Regardless of how you generate the key, you use AKV to control and manage the cryptographic keys used by Office 365. After your keys are stored in AKV, they can be used as the root of one of the key bundles that encrypts your mailbox data or files.
European service providers for keys
Currently, there are only two EU providers supported by Microsoft:
Advantages of the brought key
Provides an additional layer of protection over BitLocker.
Allows Windows operating system administrators to be separated from access to application data stored or processed by the operating system.
Includes a client key option that allows more multi-tenant services to enable per-client key management.
Enhances Microsoft 365’s ability to meet the needs of customers who have certain compliance requirements regarding encryption.
“Another benefit of Customer Key is control over Microsoft’s ability to process your data. If you want to remove data from Office 365, for example, if you want to terminate service with Microsoft or remove some of your data stored in the cloud, you can do that and use Customer Key as a technical control. Removing data ensures that no one, including Microsoft, can access or process the data. Customer Key is additional and complements the customer lockbox you use to control access to your data by Microsoft employees.”
What services/functions are subject to the Customer Key variant?
The following features are subject to the Customer Key feature that has now become GA:
- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations).
- Teams media messages (images, code snippets, video messages, audio messages, wiki images)
- Teams call and meeting recordings stored in the Teams store
- Teams chat notifications, Teams chat suggestions through Cortana, Teams status messages
- User and signal information for Exchange Online
- Exchange Online mailboxes that are not already encrypted with DEPs at the mailbox level
- Microsoft Information Protection data with Exact Data Match (EDM) – (data file schemas, rule packages, and the salts used to hash the sensitive data)
To use this feature you will need:
Office 365 E5
Microsoft 365 E5
Microsoft 365 E5 Compliance
Microsoft 365 Information Protection and Governance
For all tenant users.
- Azure Key Vault Premium / Azure Subscription.
For setup and usage.
- Dienstverschlüsselung mit Kundenschlüssel
- Einrichten des Kundenschlüssels
- Verwalten von Kundenschlüsseln
- Rollen oder Drehen eines Kundenschlüssels oder eines Verfügbarkeitsschlüssels
- Verstehen des Verfügbarkeitsschlüssels