Customer Key for Microsoft 365
How Customer Key lets you bring your own encryption keys for Microsoft 365 service encryption — and when to use it.
Customer Key is the Microsoft 365 capability that lets a customer provide and manage the root encryption keys used to encrypt their tenant data at rest. Microsoft uses your keys to encrypt content; you control whether Microsoft can decrypt it. It's the strongest form of customer-controlled encryption in Microsoft 365.
What Customer Key encrypts
Customer Key applies to data at rest in:
- Exchange Online mailboxes.
- SharePoint Online sites.
- OneDrive for Business.
- Microsoft Teams files (stored in SharePoint).
- Microsoft 365 Copilot content (when Copilot is in scope).
It's a service-level encryption layer on top of Microsoft's default storage encryption. Default storage encryption uses Microsoft-managed keys; Customer Key adds a customer-managed key as a wrapper.
The architecture
Customer Key works with Azure Key Vault in the customer's own Azure subscription:
- Customer creates two RSA keys in two separate Azure Key Vaults (in two regions, for resilience).
- Customer grants permissions to Microsoft's specific service principal to wrap/unwrap with those keys.
- Customer creates a data encryption policy (DEP) in the Microsoft 365 admin center referencing those keys.
- Microsoft applies the DEP to relevant mailboxes / sites / OneDrives.
- Microsoft encrypts the data using a chain that ends at the customer's keys in Azure Key Vault. Without the customer's keys, the data cannot be decrypted.
What this gives you
- Cryptographic control — Microsoft cannot decrypt the data without the customer's permission.
- Data destruction by key revocation — revoke the keys, the data is rendered unrecoverable (the legal "data destruction" scenario).
- Compliance evidence — auditable proof of customer-controlled encryption.
Important caveats
Customer Key is sometimes mis-positioned. It's important to understand:
- It doesn't prevent Microsoft from accessing data during normal operation. Microsoft engineers still need to perform support and operations; Customer Lockbox controls that access, not Customer Key.
- Sensitivity-label encryption is different — it encrypts specific labelled files end-to-end, including in transit and at recipient devices. Customer Key is about underlying storage encryption.
- It doesn't replace TDE, sensitivity labels, or DLP — it complements them.
- Key revocation is irrevocable — once you destroy the keys and Microsoft's caches expire, the data is gone. There's no recovery.
When Customer Key is the right answer
Customer Key matters for organisations facing:
- Specific regulatory requirements — some industry frameworks require customer-controlled keys (parts of financial services, healthcare, certain defence scenarios).
- Multinational compliance — when the data residency requirements include cryptographic sovereignty.
- High-sensitivity tenants — typically where the regulator or contract explicitly requires it.
For most organisations, Customer Key is overkill. The default Microsoft service encryption already covers the threats most relevant to most businesses; sensitivity labels handle content-level protection.
Operational realities
- Key management is your responsibility — including geographic resilience, rotation, access control to Key Vault.
- Two Key Vaults in two regions are required for the encryption policy. Plan for the Azure costs.
- Onboarding takes weeks — Microsoft validates your setup before applying policies.
- Decommissioning takes weeks — destroying keys triggers a holding period before data becomes permanently inaccessible.
Licensing
Customer Key requires Microsoft 365 E5 or the standalone Office 365 Advanced Compliance licence, plus an Azure subscription for the Key Vault hosting.
For organisations that genuinely need it, Customer Key is a powerful compliance lever. For organisations without specific regulatory drivers, the operational overhead usually outweighs the benefit.