Bring Your Own Key — Solving Microsoft 365

Bring Your Own Key (BYOK) is the encryption model where the customer provides the root encryption key used by a cloud service — rather than the service generating and managing keys internally. In Microsoft 365, BYOK underpins Customer Key (for service encryption of Exchange, SharePoint, OneDrive, Teams) and sensitivity-label encryption via Azure Key Vault for protected documents. The customer stores keys in Azure Key Vault in their own subscription; Microsoft uses the keys to encrypt content but can't decrypt without customer authorisation. A stricter variant — Hold Your Own Key (HYOK) — kept keys on-premises and was deprecated in favour of Azure Key Vault-based BYOK. Required by some regulatory regimes; over-engineered for most general business use.