Customer Key support for Microsoft Teams

Securing a company is getting more complex as technology advances. Constant learning and staying updated in this subject are crucial. Security is more than just a product, and knowing this will allow us to understand all the options we have.

Encryption enables protection for the most important asset of an organization: their dataMicrosoft 365 provides baseline, volume-level encryption, enabled by BitLocker and Distributed Key Manager (DKM). This ensures your data is always encrypted.

What’s the Microsoft 365 Customer Key? 

Microsoft 365 delivers this encryption through a built-on service, the Customer Key, which allows organizations to add a layer of encryption of their own.

Authorized users can provide and have complete control over the encryption keys. These are used to encrypt customers’ data in Microsoft datacenters. Once an organization creates a key, Microsoft 365 uses it to encrypt data at rest (this is described in the Online Services Terms).

Also, the customer has the option of creating data encryption policies (DEP), with the objective of encrypting certain data in Microsoft 365, for all tenant users. Although multiple DEPs can be created per tenant, there can only be one assigned at a time.  

Customer Key for Microsoft Teams 

Although the Customer Key data policies support Exchange Online and SharePoint Online, it didn’t support Microsoft Teams. Recently they had an update to add broader control and support for this app.

Once the DEP is assigned the following Microsoft Teams data will be encrypted for all tenant users. 

  • 1:1 chat, group chats, meeting chats and channel conversations messages 
  • Media messages (images, code snippets, video messages, audio messages, wiki images) 
  • Call and meeting recordings in Teams storage 
  • Teams chat notifications, chat suggestions by Cortana, status messages 
  • User and signal information for Exchange Online 
  • Exchange Online mailboxes that aren’t already encrypted using mailbox level DEPs 
  • Microsoft Information Protection exact data match (EDM) data – (data file schemas, rule packages, and the salts used to hash the sensitive data) 

After creating and assigning a DEP, the encryption begins automatically. However, there could be a few exceptions, depending on the size of the tenant. 

Read more about the Microsoft 365 Customer Key here.

If you want to simplify and modernize security, compliance, and identity in your organization, partner with Team Venti. Book a meeting today. 


You might also like: