What is Microsoft Customer Key, and what does it actually protect?
Customer Key is Microsoft's enterprise feature for letting customers hold the encryption keys to their Microsoft 365 data. Here's what it covers, what's required to use it, and how it compares to a default-E2E approach.
Microsoft Customer Key is the Microsoft 365 feature that lets enterprise customers supply their own encryption keys for the data Microsoft holds. It's the equivalent of Google Workspace CSE in scope: a real key-custody offering, gated behind the top tier of enterprise licensing, with a significant deployment lift.
It's also frequently confused with two adjacent Microsoft features: BitLocker (full-disk encryption at the server level — Microsoft holds those keys) and Microsoft Managed Keys (default service encryption — Microsoft holds the keys). Customer Key is the only one that puts a key Microsoft can't unilaterally use into the picture.
What Customer Key protects
Customer Key encrypts data at rest in Microsoft's datacenters using a key hierarchy that requires a customer-controlled root key to unlock. If the customer revokes that root key, Microsoft cannot decrypt the data — even Microsoft's own engineers with full admin access see ciphertext.
Covered services (as of mid-2024):
· Exchange Online — mailbox content at rest
· SharePoint Online — site content at rest
· OneDrive for Business — file content at rest
· Teams — chats and channel messages at rest
· Skype for Business (legacy)
What Customer Key does not do:
· End-to-end encryption. The data is decrypted server-side for indexing, search, AI grounding, and content delivery. Customer Key protects the at-rest state; it doesn't make the runtime server-blind.
· Cover all Microsoft 365 surfaces. Power Platform, Dynamics, and many integration surfaces aren't covered.
What a customer has to do to use it
Licensing: Customer Key requires Microsoft 365 E5 (the top enterprise tier — pricing is typically $57+/user/month). It's not available on E3, Business, or any of the consumer or SMB tiers.
Run Azure Key Vault: customers supply two RSA keys stored in Azure Key Vault. They have to manage Key Vault HSM-backed key generation, rotation, backup, and access policies.
Data Encryption Policy: a DEP is created via PowerShell, linking the customer keys to a specific Microsoft service. The DEP is what Microsoft's services authenticate against on every encrypt/decrypt.
Auditing and recovery procedures: customer is responsible for ensuring keys are accessible when needed and revoked when not. Mis-managed Customer Key revocation can render an entire organization's mail or files permanently unreadable.
What this means for buyers
Customer Key is a real and meaningful at-rest protection for enterprises that need to constrain Microsoft's ability to access their data — particularly for compliance frameworks that require customer-held keys. For Fortune 500s with security teams that already operate Azure Key Vault, it's a reasonable add-on.
It is not a substitute for end-to-end encryption. Microsoft still has to decrypt data on the server side for the product to work — for search, for Copilot, for any feature that operates on content. Customer Key prevents an at-rest exfiltration from yielding decrypted data; it doesn't prevent a compromised production server from reading what it's serving.
For everyone outside the Fortune 500 — small businesses, professionals, individuals — Customer Key isn't a realistic option. The $57/user/month E5 license, the Azure Key Vault operational lift, and the surface limitations make it enterprise-only by design.
Koaich's approach inverts the model. End-to-end encryption is the default at every surface, no KMS to run, no top-tier license required. The price is that Koaich is a smaller product than Microsoft 365 — but for the kinds of work where messages, documents, files, and AI are enough, you get the structural property Customer Key only provides at top-tier price.