Share via

Best solution for given scenario - Customer-Managed Key for SharePoint and Onedrive

Anonymous
2025-01-10T18:21:31+00:00

Hi

Company A with M365 tenant and azure subscritpion. 

Company A is working with many clients all over Europe. The partners sending files to Company A over emails. People in Company A are uploading the files to SharePoint dedicated sites and label those files.

Each partner has a dedicated site in SharePoint. Poeple share files over OneDrive as well.

Files that are being worked on, when completed, are being sent back to the partners.

Requirement:

  1. Automatic Labeling of incoming files based on the partner company name and content type.
  2. Encryption using Customer Managed Key for SharePoint for all uploaded files based on their labels. Each partner site and documents should have separate (dedicated) encryption key (Site A - customer 1; site B - Customer 2 etc.) . on the labels. 
  3. Encryption using Customer Managed Key for OneDrive.
  4. Access to people who work on the documents (same people can work on documents for more than one partner company)
  5. Once the file is completed, it needs to be decrypted and then it is sent back to the partner company.
  6. Automation of the above.

How to satisfy this requirement?

What are step by step things to be implemented?

What are the prerequisites?

How many DEP we need to implement?

How many new azure subscriptions?

Is there a way to get a test azure sub for POC?

Microsoft 365 and Office | SharePoint | For business | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-11T03:30:07+00:00

    Hi MKJKR,

    Thanks for posting in the community. We are happy to help you.

    Regarding your questions, I recommend you view the following information.

    1. Automatic Labeling of Incoming Files

    Use Microsoft Information Protection to create and apply sensitivity labels and set up auto labeling policies in the Microsoft 365 compliance center to automatically apply labels for different sites. Create the relevant sensitivity label and labeling policy for each site.

    Learn about sensitivity labels

    Automatically apply a sensitivity label to Microsoft 365 data

    2,3. Encryption Using Customer Managed Key for SharePoint/OneDrive

    Azure Key Vault: set up Azure Key Vault to manage your encryption keys.

    Azure Key Vault basic concepts

    Data Encryption Policies (DEP): If you're using the multi-geo feature, you can create one DEP per geo for your organization. If you're not using the multi-geo feature, you can only create one DEP per tenant.

    Learn about data encryption policies

    Configure Customer Key:
    Overview of service encryption with Microsoft Purview Customer Key

    Set up Customer Key

    1. Access Control

    Microsoft 365 Group: create groups to manage users who work on documents for each partner company.

    SharePoint Permission: assign appropriate permissions to these groups so users in the group can access the relevant SharePoint sites or OneDrive sites.

    Regarding other questions, since they are related to Azure, our team focuses on general SharePoint built-in queries, and in case we have provided incorrect information for your questions about Azure and Data Encryption/Decryption, I recommend you post a new thread in the Microsoft Q&A Community, which is a forum dedicated to Azure-related questions. You can click "Ask a question" and add the relevant tags, such as Azure Key Vault, Azure Data Factory, etc. in this community.

    Sorry that our category may have limited resources on checking on your concern further. Thank you for your cooperation and understanding!

    Sincerely,

    George | Microsoft Community Moderator

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  2. Anonymous
    2025-01-15T16:26:41+00:00

    Hi MKJKR,

    Thanks for posting back and sorry for my late reply.

    Since your query is related to Data Encryption Policy and Customer-Managed Keys, and our team focuses on queries about SharePoint built-in functionality, in this case, in case we are providing incorrect information, I would suggest that you post a new thread in the Microsoft Q&A Community, which is a specific channel for questions about Data Encryption Policy and Customer-Managed Keys. You can click "Ask a question" and add the tags Azure Key Vaultand Azure Data Factory when posting the new thread.

    Sorry that our category may have limited resources on checking on your concern further.

    In the meantime, we welcome community members to share ideas about the situation if one has related experiences.

    Thanks for your understanding.

    George | Microsoft Community Moderator

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  3. Anonymous
    2025-01-12T16:35:36+00:00

    Thank you, George, for your helpful response.

    I'd like to clarify further:

    I understand that one Data Encryption Policy (DEP) can have multiple Customer-Managed Keys (CMKs).

    However, only one DEP can be assigned at a time for the entire tenant.

    In this case, is it possible for a single DEP to have multiple Customer-Managed Keys (CMKs) assigned to different SharePoint Online site collections?

    If not, this doesn't meet our requirements. What would be the best alternative in such a scenario?

    Was this answer helpful?

    0 comments