Microsoft Copilot for Microsoft 365 uses encryption to protect your data at rest and in transit. When your organization requires full control over the encryption keys, Bring Your Own Key BYOK allows you to manage and rotate your own keys held in Azure Key Vault. This setup adds a layer of security but also introduces specific planning and operational requirements. This article explains what BYOK encryption is, what prerequisites you need, and the key considerations for a successful deployment with Copilot.
Key Takeaways: Planning BYOK for Copilot
- Azure Key Vault key creation and permissions: You must create a Customer-managed key CMK in Azure Key Vault and assign the correct RBAC roles to Microsoft 365 before enabling BYOK.
- Copilot data encryption scope: BYOK encrypts Copilot-generated content and grounded data at rest, but not all Copilot features honor custom keys immediately.
- Key rotation and revocation impact: Rotating or revoking the key can cause service degradation or data access loss for Copilot features that rely on the encrypted data.
What BYOK Encryption Means for Copilot
BYOK is a feature of Microsoft 365 encryption that lets you provide and manage your own encryption key stored in Azure Key Vault. Microsoft still performs the encryption and decryption operations, but the root key is owned and controlled by your organization. For Copilot, this means any data that Copilot processes or generates can be encrypted with your key instead of a Microsoft-managed key.
The encryption at rest covers Copilot prompts, responses, and the grounded data retrieved from Microsoft Graph sources such as emails, files, and calendar entries. BYOK does not change how Copilot processes data in memory or during transit. Transport Layer Security TLS still protects data in motion.
A common misunderstanding is that BYOK encrypts all Copilot interactions immediately. In reality, BYOK applies only to data stored in Microsoft 365 services that support Customer-managed keys. Some Copilot features such as Copilot in Power BI or Copilot in Dynamics 365 use separate encryption stores that may require additional configuration. Verify which Microsoft 365 workloads your Copilot license covers and confirm each one supports BYOK.
Prerequisites for BYOK with Copilot
Before you start, ensure your tenant meets these requirements:
- An active Microsoft 365 subscription that includes Copilot for Microsoft 365.
- An Azure subscription with Azure Key Vault Standard or Premium tier.
- Global Admin or Azure Key Vault Contributor permissions to create and manage keys.
- Your organization must use Azure Active Directory Azure AD for identity management.
- You must have the BYOK feature enabled in the Microsoft 365 admin center. This feature is available only for tenants in the Microsoft 365 Commercial, GCC, GCC High, or DoD environments.
Steps to Configure BYOK for Copilot
The configuration process involves two major phases: setting up the key in Azure Key Vault and then assigning it to your Microsoft 365 tenant. Follow these steps in order.
Phase 1: Create and Configure the Key in Azure Key Vault
- Create or select an Azure Key Vault
In the Azure portal, create a new Key Vault or use an existing one. Enable soft delete and purge protection to prevent accidental key deletion. Without purge protection, a deleted key cannot be recovered and all encrypted data becomes inaccessible. - Generate a Customer-managed key
Inside your Key Vault, go to Keys and create a new key. Choose RSA 2048, RSA 3072, or RSA 4096. HSM-protected keys are recommended for higher security. Give the key a descriptive name such as copilot-byok-key. - Assign permissions to Microsoft 365
Under Access policies in the Key Vault, add a new access policy. Select principal Microsoft 365 Encryption Service. The service principal ID is unique to your tenant. Grant the Get, Unwrap Key, and Wrap Key permissions. Do not grant Delete permissions to this service principal.
Phase 2: Assign the Key to Your Microsoft 365 Tenant
- Open the Microsoft 365 admin center
Go to Settings > Org settings > Security & privacy > Customer Key. Select Customer-managed keys and then Add key. - Enter the key URI
Copy the Key Identifier URI from your Azure Key Vault key. The format is https://yourvaultname.vault.azure.net/keys/yourkeyname/version. Paste this URI into the Customer Key setup page. - Enable the key for Copilot workloads
In the same setup page, select the workloads that Copilot uses. At minimum, select Exchange Online and SharePoint Online. These services store Copilot prompts and responses. If your Copilot license includes Teams, also select Microsoft Teams. - Verify key activation
Wait up to 30 minutes for the key to propagate. Use the Get-M365CustomerKey cmdlet in Exchange Online PowerShell to confirm the key is active. The output should show the key status as In Use.
Common Setup Issues and What to Avoid
Copilot Still Uses Microsoft-Managed Keys After BYOK Configuration
This usually happens when the key is not assigned to the correct workloads. BYOK only encrypts data in the workloads you select during configuration. If you skip SharePoint Online, Copilot responses stored in SharePoint remain encrypted with a Microsoft-managed key. Go back to the Customer Key settings and verify all relevant workloads are selected.
Key Rotation Causes Temporary Service Disruption
When you rotate the key in Azure Key Vault, Microsoft 365 does not immediately pick up the new version. It can take up to 72 hours for the new key to be applied across all workloads. During this window, Copilot may return errors or fail to generate responses. Plan key rotations during low-usage periods and communicate the change to your help desk.
Revoking the Key Breaks Copilot Access
If you revoke the key by deleting the access policy or disabling the key in Azure Key Vault, Copilot loses the ability to decrypt existing data. Users see errors such as Copilot cannot access your organization data. To recover, re-enable the key and reapply the access policy. Data encrypted with the old key remains inaccessible if the key is permanently deleted.
BYOK Does Not Cover All Copilot Features
Copilot in Microsoft 365 apps like Word, Excel, and PowerPoint uses the encryption of the underlying document. If the document is stored in OneDrive or SharePoint, BYOK applies. Copilot in Power BI uses a separate encryption key store called Power BI encryption. You must configure BYOK for Power BI independently. Check the Microsoft documentation for each Copilot feature to confirm BYOK support.
BYOK vs Microsoft-Managed Keys for Copilot
| Item | BYOK Customer-Managed Key | Microsoft-Managed Key |
|---|---|---|
| Key ownership | Your organization controls the key in Azure Key Vault | Microsoft generates and manages the key |
| Key rotation control | You decide when and how to rotate the key | Microsoft rotates keys automatically |
| Key revocation impact | Revoking the key can block Copilot access to encrypted data | Microsoft manages revocation; no direct user control |
| Setup complexity | Requires Azure Key Vault configuration and permissions | No setup required; enabled by default |
| Compliance scope | Satisfies compliance requirements for key control | Does not meet key control requirements |
BYOK adds operational overhead but gives you full control over encryption keys. Microsoft-managed keys are simpler and sufficient for most organizations. Choose BYOK only if your compliance policy mandates customer-controlled keys.
After you configure BYOK for Copilot, monitor the key usage in Azure Key Vault logs. Set up alerts for key expiration or permission changes. Test key rotation in a non-production tenant first. If your organization uses multiple Microsoft 365 workloads, verify each one supports BYOK before rolling out to production users.