Skip to content

Control 1.15: Encryption: Data in Transit and at Rest

Overview

Control ID: 1.15 Control Name: Encryption: Data in Transit and at Rest Pillar: Security Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC Rule 17a-4, PCI DSS 4.0 Setup Time: 1-2 hours

Purpose

Encryption is a foundational security control ensuring that all data processed by Copilot Studio agents is protected both when stored (at rest) and when transmitted (in transit). For financial services, encryption provides critical protection for customer financial information, trading data, and personally identifiable information (PII). This control covers Microsoft's default encryption, customer-managed keys (CMK), and hardware security module (HSM) integration for regulated environments.

This control addresses key FSI requirements:

  • Data in Transit: TLS 1.2+ for all agent communications
  • Data at Rest: AES-256 encryption for stored data
  • Key Management: Customer-managed keys for sensitive data
  • Regulatory Compliance: SEC 17a-4 WORM requirements with encryption

Prerequisites

Primary Owner Admin Role: Entra Security Admin Supporting Roles: SharePoint Admin

Required Licenses

License Purpose
Microsoft 365 E3/E5 Service encryption (default)
Microsoft 365 E5 or E5 Compliance Customer Key feature
Azure Key Vault Premium HSM-backed key storage
Power Platform Dataverse encryption at rest

Required Permissions

Permission Scope Purpose
Global Administrator Initial setup Configure Customer Key
Key Vault Administrator Azure Key Vault Create and manage encryption keys
Compliance Administrator Microsoft Purview Configure encryption policies
Exchange Administrator Exchange Online Configure service encryption
SharePoint Administrator SharePoint Online Configure site encryption

Dependencies

Pre-Setup Checklist

  • [ ] Verify TLS 1.2+ enforcement at network level
  • [ ] Create Azure subscription for Key Vault
  • [ ] Establish key management procedures
  • [ ] Document encryption key rotation schedule
  • [ ] Identify data requiring customer-managed keys

Governance Levels

Baseline (Level 1)

Ensure all agent data is encrypted in transit (TLS 1.2+) and at rest using Microsoft defaults.

Double encryption for sensitive data; customer-managed keys (CMK) for Tier 2/3 (team/enterprise-managed).

Regulated/High-Risk (Level 4)

Mandatory CMK with hardware security module (HSM) backing; key rotation quarterly; audit trail.

Setup & Configuration

Step 1: Verify TLS 1.2+ Enforcement

Portal Path: Microsoft 365 Admin Center → Settings → Org settings → Security & privacy

  1. Navigate to Microsoft 365 Admin Center (admin.microsoft.com)
  2. Select SettingsOrg settings
  3. Click Security & privacy tab
  4. Locate Modern authentication and verify enabled
  5. Verify TLS version requirements:
  6. All Microsoft 365 services require TLS 1.2 by default
  7. Legacy TLS 1.0/1.1 should be disabled
  8. Network-Level Verification:
  9. Check Azure Load Balancer/Application Gateway settings
  10. Verify firewall TLS inspection supports 1.2+
  11. Test with SSL Labs or similar tool

Step 2: Configure Service Encryption

Portal Path: Microsoft Purview → Information protection → Encryption

  1. Navigate to Microsoft Purview (compliance.microsoft.com)
  2. Select Information protection from left navigation
  3. Click Encryption tab
  4. Verify Default Encryption Status:
  5. Service encryption: Enabled (automatic)
  6. BitLocker for data centers: Enabled (automatic)
  7. Distributed Key Manager (DKM): Enabled
  8. Review encryption status for each workload:
  9. Exchange Online: Encrypted
  10. SharePoint Online: Encrypted
  11. OneDrive for Business: Encrypted
  12. Microsoft Teams: Encrypted

Step 3: Configure Customer Key for Microsoft 365

Portal Path: Microsoft Purview → Information protection → Customer Key

Note

Customer Key requires Microsoft 365 E5 or E5 Compliance license and involves Azure Key Vault setup.

  1. Create Azure Key Vaults (2 required for redundancy):
  2. Create Key Vault 1 in Region A (e.g., East US)
  3. Create Key Vault 2 in Region B (e.g., West US)

  4. Both must use Premium SKU for HSM support

  5. Configure Key Vault Access:

  6. Navigate to Azure Portal → Key Vaults → [Vault Name]
  7. Select Access configuration → ensure RBAC or Access Policies

  8. Grant Microsoft 365 Data-At-Rest service access

  9. Create Customer Keys:

  10. In each Key Vault, select KeysGenerate/Import
  11. Key type: RSA-HSM (for regulated environments)
  12. Key size: 2048 or 4096 bits

  13. Set expiration per your rotation policy

  14. Register Customer Key with Microsoft 365:

  15. Navigate to Microsoft PurviewInformation protectionCustomer Key
  16. Click + Create
  17. Provide Key Vault URIs and key names

  18. Complete validation process

  19. Create Data Encryption Policy (DEP):

  20. Click + Create DEP
  21. Assign to mailboxes and/or SharePoint sites
  22. Apply to Tier 2/3 agent data locations

Step 4: Configure Power Platform Encryption

Portal Path: Power Platform Admin Center → Environments → [Environment] → Settings → Encryption

  1. Navigate to Power Platform Admin Center (admin.powerplatform.microsoft.com)
  2. Select Environments → choose environment
  3. Click Settings → expand Product → select Encryption
  4. Customer Managed Key Configuration:
  5. Click Manage encryption key
  6. Select Customer-managed key
  7. Provide Azure Key Vault URI
  8. Select the encryption key
  9. Verify Encryption:
  10. Status should show "Encryption key managed by customer"
  11. Key vault name and key name displayed
  12. Configure for Each Environment:
  13. Repeat for all Tier 2/3 production environments
  14. Document key-to-environment mapping

Step 5: Configure SharePoint Encryption with Customer Key

Portal Path: SharePoint Admin Center → Settings → Encryption

  1. Navigate to SharePoint Admin Center (admin.sharepoint.com)
  2. Select SettingsEncryption
  3. Apply Customer Key DEP:
  4. Select sites containing agent knowledge sources
  5. Apply Data Encryption Policy created in Step 3
  6. OneDrive Encryption:
  7. Customer Key DEP applies to user OneDrive locations
  8. Verify agent-accessed OneDrive locations are covered
  9. Verify Encryption Status:
  10. Use PowerShell to check individual sites: 
    Get-SPOSite -Identity "https://tenant.sharepoint.com/sites/AgentKB" |
    Select-Object Url, SensitivityLabel, EncryptionStatus

Step 6: Configure Sensitivity Label Encryption

Portal Path: Microsoft Purview → Information protection → Labels

  1. Navigate to Microsoft PurviewInformation protection
  2. Select Labels → choose label or create new
  3. Click Edit labelEncryption
  4. Configure Encryption Settings:
  5. Enable Apply encryption
  6. Choose Assign permissions now or Let users assign permissions
  7. For Agent-Accessed Content:
  8. Select Assign permissions now
  9. Add service accounts used by agents
  10. Grant View permission minimum
  11. Double Key Encryption (for highly sensitive):
  12. Enable Use Double Key Encryption
  13. Configure DKE endpoint
  14. Note: May limit some agent functionality

Step 7: Verify Dataverse Encryption

Portal Path: Power Platform Admin Center → Environments → [Environment] → Settings → Database

  1. Navigate to Power Platform Admin Center
  2. Select Environments → choose production environment
  3. Click SettingsFeatures
  4. Verify Encryption Settings:
  5. Dataverse uses Azure SQL encryption by default
  6. TDE (Transparent Data Encryption) is enabled
  7. For Customer-Managed Keys:
  8. CMK configured in Step 4 applies to Dataverse
  9. Verify key status is "Active"

Step 8: Configure Key Rotation Schedule

Create Key Rotation Process:

  1. Establish Rotation Schedule:
  2. Tier 1: Annual key rotation
  3. Tier 2: Semi-annual key rotation

  4. Tier 3: Quarterly key rotation

  5. Configure Automated Rotation (Azure): 

    Azure Key Vault → Keys → [Key] → Rotation policy → Enable
Set rotation frequency per zone requirements
Configure notification 30 days before expiration

  6. Document Rotation Procedures:

  7. Key creation process
  8. DEP update procedure
  9. Validation steps
  10. Rollback procedure

PowerShell Configuration

Verify Microsoft 365 Encryption Status

# Connect to Exchange Online
Connect-ExchangeOnline

# Check organization encryption configuration
Get-OrganizationConfig | Select-Object *Encryption*, *TLS*

# Verify Customer Key DEP status
Get-DataEncryptionPolicy | Format-Table Name, State, AzureKeyVaultConfig -AutoSize

# Check mailbox encryption
$testMailbox = "user@domain.com"
Get-MailboxStatistics $testMailbox | Select-Object DisplayName, ItemCount, TotalItemSize

# Verify TLS enforcement
Get-TransportConfig | Select-Object TLSReceiveDomainSecureList, TLSSendDomainSecureList

# Disconnect
Disconnect-ExchangeOnline -Confirm:$false

Configure Customer Key with PowerShell

# Install required modules
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name Az.KeyVault

# Connect to services
Connect-ExchangeOnline
Connect-AzAccount

# Create Data Encryption Policy
$keyVault1 = "https://keyvault1.vault.azure.net/keys/M365CustomerKey/version1"
$keyVault2 = "https://keyvault2.vault.azure.net/keys/M365CustomerKey/version2"

New-DataEncryptionPolicy -Name "FSI-AgentData-DEP" `
    -AzureKeyIDs @($keyVault1, $keyVault2) `
    -Description "Customer Key DEP for agent data"

# Verify DEP creation
Get-DataEncryptionPolicy "FSI-AgentData-DEP"

# Apply DEP to mailboxes (for agent conversation storage)
$agentMailbox = "copilot-agents@domain.com"
Set-Mailbox -Identity $agentMailbox -DataEncryptionPolicy "FSI-AgentData-DEP"

# Verify application
Get-Mailbox $agentMailbox | Select-Object DataEncryptionPolicy

Verify SharePoint Encryption

# Connect to SharePoint Online
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"

# Get all sites with agent access
$agentSites = @(
    "https://yourtenant.sharepoint.com/sites/AgentKnowledgeBase",
    "https://yourtenant.sharepoint.com/sites/CustomerData",
    "https://yourtenant.sharepoint.com/sites/TradingDocuments"
)

# Check encryption status for each site
foreach ($site in $agentSites) {
    $siteInfo = Get-SPOSite -Identity $site
    Write-Host "Site: $site" -ForegroundColor Cyan
    Write-Host "  Sensitivity Label: $($siteInfo.SensitivityLabel)"
    Write-Host "  Conditional Access Policy: $($siteInfo.ConditionalAccessPolicy)"
}

# Apply Customer Key to specific site
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/AgentKnowledgeBase" `
    -DataEncryptionPolicy "FSI-AgentData-DEP"

Key Vault Health Check

# Connect to Azure
Connect-AzAccount

# Get Key Vault information
$vaultName = "FSI-M365-KeyVault"
$vault = Get-AzKeyVault -VaultName $vaultName

Write-Host "=== Key Vault Status ===" -ForegroundColor Cyan
Write-Host "Name: $($vault.VaultName)"
Write-Host "SKU: $($vault.Sku)"
Write-Host "Soft Delete: $($vault.EnableSoftDelete)"
Write-Host "Purge Protection: $($vault.EnablePurgeProtection)"

# List encryption keys
$keys = Get-AzKeyVaultKey -VaultName $vaultName

Write-Host "`n=== Encryption Keys ===" -ForegroundColor Cyan
foreach ($key in $keys) {
    $keyDetails = Get-AzKeyVaultKey -VaultName $vaultName -Name $key.Name
    Write-Host "Key: $($key.Name)"
    Write-Host "  Type: $($keyDetails.KeyType)"
    Write-Host "  Size: $($keyDetails.KeySize)"
    Write-Host "  Created: $($keyDetails.Created)"
    Write-Host "  Expires: $($keyDetails.Expires)"
    Write-Host "  Enabled: $($keyDetails.Enabled)"

    # Check if rotation needed
    if ($keyDetails.Expires -and $keyDetails.Expires -lt (Get-Date).AddDays(30)) {
        Write-Host "  WARNING: Key expires within 30 days!" -ForegroundColor Red
    }
}

Financial Sector Considerations

Regulatory Alignment

Regulation Requirement Encryption Implementation
GLBA 501(b) Safeguard customer NPI TLS 1.2+ in transit, AES-256 at rest
SOX 404 Internal controls for financial data CMK for financial record storage
FINRA 4511 Books and records protection Encrypted storage with audit trail
SEC 17a-4 Non-rewritable, non-erasable WORM storage with encryption
PCI DSS 4.0 Protect cardholder data Strong cryptography for transmission
FFIEC Guidelines Encryption for sensitive data Multi-layer encryption approach

Zone-Specific Configuration

Configuration Zone 1 (Personal Productivity) Zone 2 (Team Collaboration) Zone 3 (Enterprise Managed)
Encryption at Rest Microsoft-managed Customer-managed key CMK with HSM
Encryption in Transit TLS 1.2 TLS 1.2+ MTLS optional TLS 1.3 + MTLS required
Key Storage Microsoft managed Azure Key Vault Standard Azure Key Vault Premium (HSM)
Key Rotation Microsoft managed Annual Quarterly
Double Encryption Not required Optional Required for MNPI
Key Recovery N/A Documented procedure Tested annually

FSI Use Case Example

Scenario: Trading Floor Agent with Customer Key

Requirements:

  • Agent accesses MNPI (Material Non-Public Information)
  • SEC 17a-4 compliance required
  • Quarterly key rotation mandated

Implementation:

  1. Azure Key Vault Premium with HSM backing
  2. Customer Key DEP applied to:
  3. Agent Dataverse environment
  4. SharePoint knowledge base sites
  5. User mailboxes storing agent conversations
  6. Key Rotation:
  7. Quarterly rotation schedule configured
  8. 30-day advance notification
  9. Documented rotation procedure
  10. Audit Trail:
  11. Key Vault diagnostic logs to SIEM
  12. Access logged for all key operations

Regulatory Benefit:

  • Customer-controlled encryption meets GLBA requirements
  • Key rotation documentation satisfies examiner inquiries
  • HSM backing meets SOX 404 internal control requirements

Verification & Testing

Verification Steps

  1. TLS Verification:
  2. [ ] Test endpoint with SSL Labs (ssllabs.com)
  3. [ ] Verify TLS 1.2+ for all agent communications
  4. [ ] Confirm legacy TLS disabled

  5. [ ] Check certificate validity

  6. At-Rest Encryption:

  7. [ ] Verify Dataverse encryption status
  8. [ ] Check SharePoint site encryption
  9. [ ] Confirm Exchange mailbox encryption

  10. [ ] Validate CMK DEP assignment

  11. Key Management:

  12. [ ] Verify Key Vault accessibility
  13. [ ] Check key expiration dates
  14. [ ] Test key rotation procedure

  15. [ ] Validate backup/recovery process

  16. Audit Trail:

  17. [ ] Key Vault logs flowing to SIEM
  18. [ ] Encryption events captured in audit
  19. [ ] Access attempts logged
  20. [ ] Rotation events documented

Compliance Checklist

  • [ ] TLS 1.2+ enforced for all agent communications
  • [ ] Customer-managed keys configured for Tier 2/3
  • [ ] Key rotation schedule documented
  • [ ] HSM backing for Tier 3 keys
  • [ ] Encryption audit logs retained per policy
  • [ ] Annual key management review completed

Troubleshooting & Validation

Issue 1: Customer Key DEP Creation Fails

Symptoms: Error creating Data Encryption Policy

Resolution:

  1. Verify Key Vault access permissions
  2. Check that both Key Vaults are in different regions
  3. Ensure keys are RSA-HSM type for Premium SKU
  4. Validate Microsoft 365 service registration
  5. Check Azure subscription isn't suspended

Issue 2: Agent Cannot Access CMK-Protected Content

Symptoms: Agent errors accessing SharePoint or Dataverse

Resolution:

  1. Verify agent service account permissions
  2. Check Key Vault availability
  3. Validate DEP is active (not revoked)
  4. Review agent connection permissions
  5. Check for key rotation in progress

Issue 3: Key Vault Unavailable

Symptoms: Services degraded, encryption operations failing

Resolution:

  1. Check Azure Key Vault service health
  2. Verify network connectivity to Key Vault
  3. Review access policies for changes
  4. Check for soft-delete or purge actions
  5. Initiate failover to secondary Key Vault

Issue 4: Key Rotation Disrupts Service

Symptoms: Service errors after key rotation

Resolution:

  1. Allow time for key propagation (up to 24 hours)
  2. Verify new key is properly associated
  3. Check DEP update completed successfully
  4. Roll back if critical services affected
  5. Schedule rotation during maintenance window

Additional Resources

Control ID Control Name Relationship
1.5 DLP and Sensitivity Labels Label-based encryption
1.16 IRM for Documents Document-level protection
1.7 Audit Logging Encryption audit events
2.1 Managed Environments Environment encryption
4.3 Retention Management Encrypted retention

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • Compliance Officer (regulatory requirements)
  • Technical Implementation Team (platform setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification