In September 2020 we learnt that Customer managed encryption keys coming for Microsoft Teams, now it is available in Public Preview.
Customer Key in Office 365 is offered in Office 365 E5, Microsoft 365 E5, Microsoft 365 E5 Compliance, and Microsoft 365 E5 Information Protection & Governance SKUs.
Customer Key requires two keys for each data encryption policy (DEP). To create two keys, you must create two Azure subscriptions. You need a paid, invoiced Azure Subscription using either an Enterprise Agreement or a Cloud Service Provider (CSP). Azure Subscriptions purchased using Pay As You Go plans or using a credit card aren’t supported for Customer Key. You need to create a premium Azure Key Vault in each subscription.
Using keys the customer provides, you can encrypt the following data:
- Teams chat messages (1:1 chats, group chats, meeting chats and channel conversations)
- Teams media messages (images, code snippets, video messages, audio messages, wiki images)
- Teams call and meeting recordings stored in Teams storage
- Teams chat notifications
- Teams chat suggestions by Cortana
- Teams status messages
- User and signal information for Exchange Online
- Exchange Online mailboxes that aren’t already encrypted Customer Key DEPs at the application level
- MIP exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data)
Note, Public preview doesn’t support encrypting past data, it will start encrypting from the time the data encryption policy (DEP) and assigned to the tenant.
A known issue in preview: When you enable Customer Key at the tenant level, you can’t create a new team in Microsoft Teams.
More information:
Microsoft blog: Customer Key support for Microsoft Teams now in Public Preview!
Documentation: Overview of Customer Key for Microsoft 365 at the tenant level (public preview)
