Yes, you can put “toxic” data in Office 365

As a writer for our enterprise customers at Microsoft I understand how challenging it can be to sort out security capabilities, especially for the most sensitive data, often referred to as “toxic” data. This is trade secret, highly regulated, classified, or any type of data a customer wants to ensure remains encrypted and undecipherable to outsiders (and even Microsoft) under whatever terrible scenarios can be imagined.

The good news is we have a supported solution — Hold Your Own Key (HYOK) with Azure Information Protection and Active Directory Rights Management Service (AD RMS). Essentially, use on-premises AD RMS to configure protection using an encryption key that you retain somewhere other than Azure Key Vault. Connect this with Azure Information Protection labels.

Users apply labels (and the corresponding protection) by using the Azure Information Protection client toolbar. The client is easy to use and can even suggest the appropriate label. After files are client-side encrypted, these toxic files can be stored in SharePoint Online or OneDrive for Business. You can use this same solution to classify all your data and apply the appropriate protection, if needed.


This solution allows you to take advantage of cloud storage for these files. You no longer need to host your own SharePoint farm (or other solution) on premises just for toxic data. This offloads a lot of security responsibility for infrastructure you would otherwise own.

Another less complex option is Bring Your Own Key (BYOK) with Azure Information Protection. With this solution, you store your encryption key in Azure Key Vault. This is a cloud-only solution. It doesn’t require on-premises components (AD RMS). For some customers, this doesn’t meet their requirement for toxic data because both the encryption key and the file is stored in Microsoft’s cloud.

The important thing to know about encrypting files using these HYOK and BYOK solutions is Microsoft services have no idea what’s inside these files. Therefore, capabilities like search, Delve, co-authoring, eDiscovery, and other collaborative features don’t work with these files. But this may be exactly what you desire for your toxic data.

Another capability coming soon is Office 365 service encryption with Customer Key. I mention this because it is causing some confusion with other BYOK solutions. With Customer Key, you bring your own key to Azure Key Vault and this key is used to encrypt files in SharePoint Online and One-Drive for Business. This is a tenant-wide solution (applies to all your files) and is intended specifically to help customers meet a regulatory requirement. Customer Key works together with all the collaborative capabilities of Office 365. This is not the solution to use if you require protection that travels with files outside the service.

If you’re talking with your Microsoft account team (or Microsoft solution provider) about BYOK options, be sure everybody understands the difference between BYOK with Azure Information Protection and Office 365 Customer Key. This can save time.

Finally, before you invest in a HYOK or BYOK solution, be sure you really need it. We hear from a lot of customers who think they need this level of protection but learn they can accomplish their goals with capabilities that are much easier to implement. You can gain a lot of protection with permissions, external sharing policies, data loss protection, device access policies, and other capabilities.

Learn more about the IT architecture for these encryption solutions along with other capabilities you can use to protect data by downloading our newly published content: File Protection Solutions in Office 365 (

Also, if you put in the effort to protect your sensitive data at higher levels, be sure to also protect the identities and devices that access this data at comparable levels. Identity and Device Protection for Office 365 ( shows you which capabilities are comparable.