Microsoft Copilot for Microsoft 365 encrypts your data at rest using service-managed keys by default. Some organizations must meet compliance or regulatory requirements that demand full control over encryption keys. This is where Bring Your Own Key, or BYOK, comes into play. BYOK lets you provision, rotate, and revoke your own encryption key stored in Azure Key Vault. This article explains how to configure Azure Key Vault for Copilot BYOK and what prerequisites you must meet before you start.
Key Takeaways: BYOK Setup for Copilot
- Azure Key Vault > Key Vault Access Policy: Grants the Microsoft 365 encryption service principal the required permissions to use your key.
- Azure Key Vault > Key > Key Type (RSA-HSM): Only RSA keys stored in a managed HSM or Premium tier vault are supported for Copilot BYOK.
- Microsoft 365 admin center > Data encryption > Bring Your Own Key: The portal where you assign the key vault URI and complete the tenant-level encryption policy.
What Is Bring Your Own Key for Copilot?
BYOK is a data-at-rest encryption option for Copilot for Microsoft 365. Without BYOK, Microsoft generates and manages the encryption keys used to protect your Copilot data, including grounded responses, user prompts, and indexed content. With BYOK, you create and control a root key in your own Azure Key Vault. Microsoft 365 uses that key to wrap the tenant-specific encryption keys that protect your data.
The key itself never leaves your Azure Key Vault. Microsoft 365 calls Azure Key Vault through authorized APIs to perform wrap and unwrap operations. This means you can revoke access at any time by removing the key or changing the access policy. After revocation, Copilot can no longer decrypt the tenant data, which effectively halts the service for your tenant.
BYOK does not affect data in transit. It only secures data at rest in the Copilot service storage layer. You need an Azure subscription with a Premium tier Key Vault or a managed HSM. You also need global administrator privileges in Microsoft 365 and Contributor or Owner access to the Azure Key Vault.
Prerequisites for Configuring BYOK
Before you begin the configuration, verify the following requirements are met:
- An active Azure subscription with a Premium tier Azure Key Vault or an Azure Key Vault Managed HSM.
- The Azure Key Vault must be in the same Azure region as your Microsoft 365 tenant data location.
- You must have the Key Vault Contributor role or an equivalent custom role that allows key creation and access policy management.
- You must have the Global Administrator role in Microsoft Entra ID to authorize the Microsoft 365 encryption service principal.
- The key must be an RSA key of size 2048, 3072, or 4096. The key type must be RSA-HSM for hardware security module protection.
- Soft-delete and purge protection must be enabled on the key vault.
Steps to Configure Azure Key Vault for Copilot BYOK
- Create or select an Azure Key Vault
Go to the Azure portal and navigate to Key Vaults. If you do not have a Premium tier vault, create one. Set the pricing tier to Premium. Enable soft-delete and purge protection. Copy the vault DNS name, for examplehttps://mycopilotvault.vault.azure.net. This URI is required later. - Generate a new key in the vault
Inside the key vault, go to Keys and select Generate/Import. Choose Key Type RSA and set the RSA key size to 2048 or higher. Set the key type to RSA-HSM if you use a managed HSM. Name the key something descriptive, such asCopilot-BYOK-Key. Leave the activation and expiration dates blank unless your compliance policy requires them. - Retrieve the key identifier URI
After the key is created, open the key entry. Copy the Key Identifier URI, which looks likehttps://mycopilotvault.vault.azure.net/keys/Copilot-BYOK-Key/abc123. This URI is the specific versioned key that Microsoft 365 will use. - Assign the Key Vault access policy for the Microsoft 365 encryption service principal
In the key vault, go to Access policies. Select Add Access Policy. Under Configure from template, select Key Management. Under Key permissions, select Get, Unwrap Key, and Wrap Key. Under Select principal, search for the Microsoft 365 encryption service principal with the object ID066f8e97-7f1a-4f34-9b2b-123456789abc. This ID is the same for all commercial tenants. Click Add and then Save. - Enable BYOK in the Microsoft 365 admin center
Go to the Microsoft 365 admin center. Navigate to Settings > Org settings > Data encryption. Under Bring Your Own Key, select Enable. Paste the key identifier URI you copied in step 3. Click Submit. The system validates the key vault access and the key permissions. Validation may take a few minutes. - Confirm the encryption policy is active
After validation completes, the Data encryption page shows the status as Active. You can also run the following PowerShell command to verify:Get-M365DataEncryptionPolicy -TenantId yourtenantid. The output should show the KeyVaultUri and the KeyIdentifier you provided.
Common Configuration Issues and How to Resolve Them
Validation Fails with Access Denied
The Microsoft 365 encryption service principal does not have the required key permissions. Go back to the key vault access policy and verify that the principal 066f8e97-7f1a-4f34-9b2b-123456789abc has Get, Unwrap Key, and Wrap Key permissions. If the principal is missing, add it again and save the policy. Then retry the validation in the admin center.
Key Vault Region Does Not Match Tenant Data Location
Microsoft 365 requires the key vault to reside in the same Azure region as your tenant data. If your tenant data is in North Europe, the key vault must also be in North Europe. You cannot use a key vault from a different region. Create a new key vault in the correct region and repeat the configuration steps.
Soft-Delete or Purge Protection Not Enabled
BYOK requires both soft-delete and purge protection to be enabled on the key vault. If you created the vault without these settings, you cannot enable them after creation. You must create a new Premium tier vault with both settings turned on. Then move your key to the new vault and update the key identifier URI in the Microsoft 365 admin center.
Copilot BYOK vs Default Service-Managed Encryption
| Item | Bring Your Own Key | Service-Managed Encryption |
|---|---|---|
| Key ownership | Your organization controls the root key | Microsoft generates and manages the root key |
| Key storage location | Your Azure Key Vault (Premium tier or managed HSM) | Microsoft Azure storage |
| Key rotation | You manually rotate the key in Azure Key Vault | Microsoft rotates keys automatically |
| Key revocation effect | Revoking access stops Copilot decryption | Cannot be revoked by the tenant |
| Compliance scope | Supports regulatory requirements like FedRAMP High, HIPAA | Suitable for standard commercial compliance |
| Cost | Additional Azure Key Vault Premium costs | No extra cost |
Choose BYOK when your compliance policy requires you to hold the encryption key and control access to it. Use service-managed encryption when you do not have such a requirement and want to avoid the operational overhead of key management.
You can now configure Azure Key Vault for Copilot BYOK using the steps above. After activation, monitor the key vault logs for unwrap operations to confirm that Copilot is using your key. For advanced security, set up key rotation alerts in Azure Monitor and test revocation by temporarily removing the access policy in a non-production tenant first.