Organizations that use Microsoft Copilot for Microsoft 365 often need to control their own encryption keys for compliance or security policies. Customer-managed keys or CMK let you create and manage your own encryption key in Azure Key Vault instead of relying on Microsoft-managed keys. This article explains how to set up CMK for Copilot, what the feature actually does, and the important trade-offs you must evaluate before enabling it.
Key Takeaways: Customer-Managed Keys for Copilot
- Azure Key Vault + Azure Key Vault Managed HSM: Required to store and control the customer-managed key used for Copilot data encryption.
- Microsoft 365 admin center > Settings > Org settings > Customer-managed keys: The exact path to initiate and assign CMK for Copilot workloads.
- Key rotation and revocation: You control key rotation frequency and can revoke access immediately, which blocks Copilot from decrypting data.
What Customer-Managed Keys Do for Copilot
Customer-managed keys let you encrypt data at rest for Copilot services using a key you control in Azure Key Vault. Microsoft Copilot stores user prompts, responses, and grounded data in Microsoft 365 services such as Exchange Online, SharePoint Online, and Microsoft Teams. By default, Microsoft encrypts this data with platform-managed keys. With CMK, you provide your own key, and Microsoft uses that key to encrypt the data at rest. You retain ownership and management of the key lifecycle including rotation, revocation, and backup.
CMK does not encrypt data in transit or data during processing. It applies only to data at rest stored in Microsoft 365 services that Copilot accesses. The feature requires an Azure subscription with a Premium Azure Key Vault or a Managed HSM. You must also assign the correct permissions so that Microsoft 365 can use the key on your behalf. Without these prerequisites, the setup will fail.
Prerequisites for Setting Up CMK
Before you begin the setup process, confirm that your tenant meets the following requirements:
- Azure subscription: You need an active Azure subscription with at least one Azure Key Vault or Azure Key Vault Managed HSM.
- Key Vault SKU: The Key Vault must be Standard or Premium tier. The Free tier does not support CMK for Microsoft 365.
- Permissions: You must have Global Administrator role in Microsoft 365 and Contributor or Owner role on the Azure Key Vault.
- Key type: The key must be an RSA key with a minimum size of 2048 bits. HSM-protected keys are supported.
- Soft-delete and purge protection: Both must be enabled on the Key Vault. Without these, key recovery is not possible after accidental deletion.
Step-by-Step Setup for Customer-Managed Keys
- Create or select an Azure Key Vault
Go to the Azure portal and navigate to Key Vaults. Create a new vault or select an existing one. Ensure the vault has soft-delete and purge protection enabled. Copy the Vault URI. - Generate or import your key
Inside the Key Vault, go to Keys and click Generate/Import. Choose RSA key type and set the key size to 2048 or higher. Give the key a name and set an activation date if needed. Do not set an expiration date unless you plan to rotate it manually. - Assign the key permissions for Microsoft 365
In the Key Vault, go to Access policies and add a new policy. Select principal Microsoft 365 Key Vault Service. Under key permissions, enable Get, Unwrap Key, and Wrap Key. Click Save. - Enable CMK in Microsoft 365 admin center
Sign in to the Microsoft 365 admin center. Go to Settings > Org settings > Customer-managed keys. Click Set up customer-managed keys. Paste the Key Vault URI and key name. Click Submit. - Validate the key assignment
After submission, the admin center shows a status of Key assigned. This may take up to 24 hours to propagate across all Microsoft 365 services. You can verify the status by returning to the Customer-managed keys page. - Test Copilot functionality
Open Copilot in Microsoft Teams or Word and run a test query. The service should respond normally. If you see an error about encryption, check the Key Vault permissions and ensure the key is not disabled or expired.
Trade-Offs and Limitations of CMK
Copilot Stops Working If the Key Is Revoked or Expired
If you disable, delete, or expire the key in Azure Key Vault, Microsoft 365 services including Copilot lose access to the encrypted data. Copilot will fail to generate responses because it cannot decrypt the underlying data. You must restore the key or create a new one and reassign it. This is a deliberate security feature, but it can cause unexpected outages if the key lifecycle is not managed carefully.
Data Recovery Is Complex After Key Loss
If you permanently delete the key without a backup, Microsoft cannot recover the encrypted data. There is no support option to bypass the encryption. You must maintain backups of your key in a separate secure location. Azure Key Vault soft-delete gives you a 90-day recovery window, but only if purge protection is enabled.
No Support for Bring Your Own Key for All Copilot Features
CMK currently applies only to data at rest in Exchange Online, SharePoint Online, and OneDrive for Business. Copilot features that rely on Microsoft Graph connectors or third-party data sources are not covered by CMK. Those services continue to use Microsoft-managed keys.
Performance Overhead During Key Operations
Every time Copilot accesses encrypted data, Microsoft 365 must call Azure Key Vault to unwrap the key. This adds a small latency overhead, typically a few milliseconds per request. In high-throughput scenarios, the cumulative effect can be noticeable. Microsoft recommends using a Key Vault in the same region as your Microsoft 365 tenant to minimize latency.
Key Rotation Requires Manual or Automated Scripts
Microsoft does not rotate customer-managed keys automatically. You must create a new key version in Azure Key Vault and then update the key assignment in the Microsoft 365 admin center. You can automate this with Azure PowerShell or CLI scripts, but the update process can take up to 24 hours to propagate across all services.
Customer-Managed Keys vs Microsoft-Managed Keys
| Item | Customer-Managed Keys | Microsoft-Managed Keys |
|---|---|---|
| Key ownership | You control the key in Azure Key Vault | Microsoft generates and manages the key |
| Key rotation | You must rotate manually or via automation | Microsoft rotates automatically |
| Key revocation | You can revoke access instantly | Not applicable |
| Data recovery after key loss | Not possible without a backup | Microsoft can recover data |
| Additional cost | Azure Key Vault charges apply | No additional cost |
| Latency | Slight overhead per key operation | No overhead |
| Compliance scope | Exchange, SharePoint, OneDrive only | All Microsoft 365 services |
If CMK Setup Fails or Copilot Stops Responding
Key Vault Permissions Are Incorrect
The most common failure is missing Get, Unwrap Key, or Wrap Key permissions for the Microsoft 365 Key Vault Service principal. Go back to the Key Vault access policies and verify that the principal is listed with those three permissions. If you recently changed permissions, wait 10 minutes and retry the setup.
Key Is Disabled or Expired
Check the key status in Azure Key Vault. If the key is disabled or past its expiration date, enable it or create a new key version. Then update the key assignment in the Microsoft 365 admin center. Copilot should resume normal operation within 30 minutes.
Tenant Region Does Not Match Key Vault Region
Microsoft 365 services expect the Key Vault to be in the same geographic region as your tenant. If the regions differ, the setup may fail or Copilot may experience intermittent errors. Move the key to a Key Vault in the correct region or create a new vault in the tenant region.
With customer-managed keys, you gain full control over encryption for Copilot data at rest. The setup is straightforward if you meet the prerequisites and follow the steps exactly. However, the operational cost, latency impact, and recovery risks mean you should only enable CMK when your compliance requirements explicitly demand it. For most organizations, Microsoft-managed keys provide sufficient security with less management overhead. If you proceed, automate key rotation and maintain secure backups to avoid service disruption.