Skip to content

Portal Walkthrough: Control 1.15 - Encryption: Data in Transit and at Rest

Last Updated: January 2026 Portal: Microsoft 365 Admin Center, Azure Portal, Power Platform Admin Center Estimated Time: 4-8 hours for Customer Key setup

Prerequisites

  • Entra Global Admin or Security Admin role
  • Azure Key Vault Contributor access
  • Power Platform Admin role
  • Microsoft 365 E5 or equivalent license (for Customer Key)

Step-by-Step Configuration

Step 1: Verify TLS 1.2+ Enforcement

  1. Open Microsoft 365 Admin Center
  2. Navigate to Settings > Org settings > Security & privacy
  3. Verify TLS 1.2 is enforced for all services
  4. Test with SSL Labs:
  5. Enter your tenant domain
  6. Verify Grade A or better
  7. Confirm no TLS 1.0/1.1 support

Step 2: Verify Microsoft Service Encryption

  1. Navigate to Microsoft Purview
  2. Go to Data classification > Content explorer
  3. Confirm encryption is active for:
  4. Exchange Online
  5. SharePoint Online
  6. OneDrive for Business
  7. Microsoft Teams

Step 3: Configure Customer Key (Optional - Zone 2/3)

3a: Create Azure Key Vaults

  1. Open Azure Portal
  2. Create first Key Vault:
  3. Name: kv-m365-cmk-primary
  4. Region: Primary region
  5. SKU: Premium (HSM-backed for Zone 3)

  6. Enable soft delete and purge protection

  7. Create second Key Vault in different region:

  8. Name: kv-m365-cmk-secondary
  9. Region: Secondary region
  10. Same settings as primary

3b: Generate Keys

  1. In each Key Vault, create key:
  2. Name: m365-customer-key
  3. Type: RSA-HSM (Premium) or RSA (Standard)
  4. Size: 2048 or 4096 bits
  5. Enable: Wrap/Unwrap permissions

3c: Configure Customer Key in Microsoft 365

  1. Open Microsoft Purview
  2. Navigate to Information protection > Customer Key
  3. Follow the guided setup:
  4. Connect primary Key Vault
  5. Connect secondary Key Vault
  6. Verify key access

Step 4: Create Data Encryption Policy (DEP)

  1. In Microsoft Purview > Customer Key:
  2. Create new DEP:
  3. Name: DEP-AgentData
  4. Scope: SharePoint, Exchange (as needed)
  5. Key Vault 1: Primary vault and key

  6. Key Vault 2: Secondary vault and key

  7. Assign DEP to locations:

  8. SharePoint sites used as agent knowledge sources
  9. Exchange mailboxes for agent communications

Step 5: Configure Power Platform CMK

  1. Open Power Platform Admin Center
  2. Navigate to Environments > Select environment
  3. Go to Settings > Encryption
  4. Enable customer-managed key:
  5. Select Azure Key Vault
  6. Select encryption key
  7. Confirm activation

Configuration by Governance Level

Setting Baseline (Zone 1) Recommended (Zone 2) Regulated (Zone 3)
Transit Encryption TLS 1.2 TLS 1.2+ TLS 1.3 + mTLS
At-Rest Encryption Microsoft-managed Customer Key (Standard) Customer Key (HSM)
Key Rotation Microsoft-managed Annual Quarterly
Key Vault SKU N/A Standard Premium (HSM)
Double Encryption No No Yes (for MNPI)

FSI Example Configuration

Encryption Configuration: Investment Advisory Bot

Transit:
  Protocol: TLS 1.3
  Certificate: DigiCert EV
  mTLS: Enabled for Zone 3

At Rest:
  Provider: Customer Key
  Primary Vault: kv-fsi-cmk-eastus
  Secondary Vault: kv-fsi-cmk-westus
  Key Type: RSA-HSM 4096

Key Rotation:
  Schedule: Quarterly (January, April, July, October)
  Owner: Security Operations
  Approval: CISO

Data Encryption Policies:
  - DEP-CustomerData: SharePoint sites with customer documents
  - DEP-AgentLogs: Exchange audit mailbox
  - DEP-TradeRecords: Dataverse trade tables

Validation

After completing these steps, verify:

  • SSL Labs test shows Grade A with TLS 1.2+ only
  • Customer Key shows "Active" status (if configured)
  • DEP applied to agent data locations
  • Power Platform environment shows CMK enabled
  • Key rotation schedule documented

Back to Control 1.15 | PowerShell Setup | Verification Testing | Troubleshooting