Double Key Encryption for Microsoft 365 in Preview

 

• Double key encryption lets customers ensure that content encrypted by Azure Information Protection cannot be accessed by anyone, including Microsoft.
• The feature could enable some organizations to retire Windows Server content protection infrastructure on-premises.
• The preview only supports Windows clients, but Macs and possibly mobile devices are likely to be added as well.

Double key encryption uses two encryption keys, one controlled by Microsoft within Azure, and one managed and controlled by customers in Azure or on-premises, to protect highly confidential content. This type of encryption could help highly regulated customers ensure Azure Information Protection (AIP) meets their regulatory needs, while also enabling the retirement of Windows Server Rights Management Services (RMS) infrastructure on-premises. 

Understanding Double Key Encryption

AIP already uses one Microsoft-controlled encryption key to protect content for each tenant of the service. Customers can also manage keys themselves (bring your own key [BYOK]) within Azure if they are properly licensed.