Encryption for SaaS Products like Office 365 is topic. You need to understand, that default and BYOK (CYOK) with Azure Key Vault is the key. New is DKE with give you the chance to have only for MIP (Files) the chance to bring your own key (Thales fo example with DKE Connector / test with a Windows Server) into the system.
Ignite Session 2017
SaaS Encryption: lies, damned lies, and hard truths | Microsoft Ignite 2017 | Channel 9 (msdn.com)