Microsoft Office 365 has supported Customer Key since 2017. Customer Key encrypts data at rest in Office 365 with keys the customer\organisation provides.
Your data is always encrypted at rest in the Microsoft 365 service with BitLocker and Distributed Key Manager (DKM). This is controlled and managed by Microsoft. Customer Key adds an additional layer of encryption is called service encryption.
Service encryption is not meant to prevent Microsoft personnel from accessing customer data. The primary purpose is to assist customers in meeting regulatory or compliance obligations for controlling root keys or obligations related to having the explicit control to delete data when exiting the service.
Using keys customers provide, Customer Key encrypts:
- SharePoint Online, OneDrive for Business, and Microsoft Teams files (which are in SharePoint or OneDrive for Business)
- Files uploaded to OneDrive for Business
- Exchange Online mailbox content including e-mail body content, calendar entries, and the content within email attachments.
- Text conversations from Skype for Business (chat history is in exchange mailbox)
Customers explicitly authorize Office 365 services to use their encryption keys to enable cloud services, such as eDiscovery, anti-malware, anti-spam, search indexing, etc.
Customer Key is part of E5 and the Advanced Compliance SKU. Additionally, customers must also purchase the appropriate license for using Azure Key Vault
Coming preview Q4 2020, targeting GA Q1 2021, Microsoft will add Customer Key support for Microsoft Teams. This will encrypt Microsoft Teams data (private chat and team chat) with a customer-provided key.