Pro User
explore our new search
Encrypt Your Data with Self-Owned Keys - Available Now
Image Source:
Jan 11, 2024 1:00 AM

Encrypt Your Data with Self-Owned Keys - Available Now

by HubSite 365 about Microsoft

Software Development Redmond, Washington

Pro UserSecurityM365 Release

Secure your Microsoft 365 data with custom encryption using your own keys. Control access with ease - more power to you!

Key insights


Microsoft 365 datasets now benefit from a new security feature: custom encryption with customer-owned keys, which has become generally available. Customers can select datasets to be delivered to their destination storage account encrypted. They will also receive an encrypted symmetric key along with decryption steps, ensuring data accessibility is restricted to authorized personnel within their tenant.

To utilize this feature, enable the "encryption" property when registering a new app or update your existing app settings. Proper setup of an Azure Key Vault is critical, as it must store public keys and be linked to your Microsoft Graph Data Connect app. After the Microsoft 365 tenant admin approves your app, the encrypted datasets will be sent securely to your storage account.

Note that this encryption capability is currently exclusive to users engaged in Copy Activity with Azure Data Factory or Azure Synapse and are part of the simplified onboarding experience. These steps are essential to leverage this added layer of data security.

  • Brand-new security capability for Microsoft 365 datasets is now generally available.
  • Customers can now keep datasets secure with encryption and receive keys for decryption.
  • Azure Key Vault setup and app approval by tenant admin are necessary to start encrypting datasets.
  • Exclusive to Copy Activity users with Azure Data Factory or Azure Synapse on simplified onboarding.
  • Enabling "encryption" property during app registration or settings update is required.

Enhanced Data Security for Microsoft 365 with Custom Encryption

In keeping with its commitment to security, Microsoft has introduced a robust encryption option for their Microsoft 365 datasets—custom encryption with customer-owned keys. This new offering empowers businesses to safeguard their information more stringently during transit to Azure storage accounts. As security threats evolve, it becomes increasingly essential for organizations to exert greater control over their data. This development by Microsoft provides that control, ensuring only authorized individuals can decipher and access sensitive organizational data. This feature seamlessly integrates with Microsoft's cloud services, illustrating their ongoing dedication to offering highly secure and trusted cloud ecosystems for their user base.

Custom encryption with customer-owned keys is now widely available, following our Ignite announcement. This new feature allows Microsoft 365 users to enhance their data security. By encrypting datasets before they are delivered to the designated storage account, users maintain control over their sensitive information.

Additionally, when the data arrives at its destination, it comes with an encrypted symmetric key. Detailed instructions for decryption are provided, ensuring that only authorized personnel can access the content. This addresses significant data safety concerns within an organization.

To activate this capability, users should enable the "encryption" property during the app registration process. It's also necessary to update the app settings and organize an Azure Key Vault for key management. After the app gains approval from a Microsoft 365 tenant admin, the app will begin to deliver encrypted datasets to the specified storage account.

It's important to note that this encryption feature is available exclusively for users employing Copy Activity with either Azure Data Factory or Azure Synapse. Users must also be part of the simplified onboarding experience to access this capability. This makes sure that data workflow integration and encryption processes are up to date and secure.

For those currently using apps, updating the "encryption" property in the app settings is essential. The procedures for both app registration and updating existing apps have been simplified to facilitate secure data transactions. No social media or advertising content was included in the blog post, keeping the focus purely on the encryption capabilities.

The resources provided include a guide to getting started with encryption using Microsoft Graph Data Connect and a Microsoft 365 Data Security eBook. These materials offer further reading on data governance and security in the context of Microsoft Graph Data Connect, enriching users' knowledge about data management and protection.

Setting up the Encryption Feature

Once your app is vetted by the Microsoft 365 tenant admin, encrypted datasets will be transferred securely. This capability particularly benefits those utilizing Azure Data Factory or Azure Synapse in conjunction with the simplified onboarding process.

Below are steps to enable the new encryption settings:

  • During registration, set the "encryption" property to enable app encryption.
  • For existing apps, update the encryption properties in the app settings.

Please take note that this feature is restricted to users of Copy Activity with Azure Data Factory or Azure Synapse and those on the streamlined onboarding path.

For additional information and assistance:

  • Learn how to use encryption with Microsoft Graph Data Connect via Microsoft documentation.
  • Explore the Microsoft 365 Data Security eBook for insights on data governance and security with Microsoft Graph Data Connect.


custom encryption, customer-owned keys, general availability, data protection, key management, BYOK, encryption-as-a-service, cloud security, data sovereignty, regulatory compliance