Office 365 Customer Key

There have been many questions over the years many organizations have asked, is it possible for customers to apply their own encryption keys to data at rest stored in Office 365.  Office 365 already utilizes several encryption at rest solutions for all data in Office 365, but sometimes customers have compliance regulations that they must support so that they can have control of an encryption key to their data in Office 365.  Customer Key for Office 365 can be used to satisfy those requirements.

There are several considerations you should think about before using this solution.  Read the FAQs on this solution.  Key management becomes critical and there is a recovery key process.

Finally, this solution will provide encryption at the root and its intended purpose is for customers to use this key as a way to protect data if the customer ever intends to leave the Office 365 service.  Customer keys can be destroyed when leaving the Office 365 service ensuring that no one has access to data will the data is going through it final deletion stages.  This solution is not intended to change the dynamics of Online Service Terms for third-party data requests to Microsoft nor does it change access rules for customer data for Microsoft personnel who are supporting the service.  There are other capabilities like Customer Lockbox which can mitigate a customer’s concern for how Microsoft personnel access customer data.

To get this solution, you must purchase Office 365 Advanced Compliance which is part of the E5 Suite, plus customers must purchase Azure Key Vault licenses.

Please read all these references.
Customer Key General Availability Announcement - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/GA-of-Customer-Key-in-Office-365-at-Ignite/ba-p/115134

Announcement - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bringing-deeper-integration-and-new-capabilities-to-Office-365/ba-p/109409
https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Bringing-deeper-integration-and-new-capabilities-to-Office-365/ba-p/109409

Presentation from Ignite - https://myignite.microsoft.com/sessions/53748?source=sessions

Video of How it works with SPO - https://youtu.be/y-BSmEhdk7c?t=8m18s

Customer Key FAQs (highly recommend reading) - https://support.office.com/en-us/article/Customer-Key-for-Office-365-FAQ-41ae293a-bd5c-4083-acd8-e1a2b4329da6

Overview and Configuration Instructions - https://support.office.com/en-us/article/Controlling-your-data-in-Office-365-using-Customer-Key-f2cd475a-e592-46cf-80a3-1bfb0fa17697

Azure Key Vault Reference - https://docs.microsoft.com/en-us/azure/key-vault/
https://docs.microsoft.com/en-us/azure/key-vault/