Use customer-managed keys to control encryption keys for data at rest
Microsoft services adhere to data privacy and compliance requirements when they secure customer data by encrypting data at rest. This practice secures the data from being exposed if a copy of the database is stolen. When data encryption at rest is used, any stolen database data is protected from being restored to a different server without the encryption key.
By default, data is encrypted by using Microsoft-managed keys. However, if you want more control over your encryption keys, you can manage your own keys by using customer-managed keys (CMKs) instead. CMKs must be stored in Microsoft Azure Key Vault.
This article explains how to set up CMKs to control encryption keys for data at rest in finance and operations environments.
Important
- The CMK feature is provided through Microsoft Power Platform. It applies to environments that run one or more finance and operations apps that are integrated with Microsoft Power Platform. It also applies to all environment-specific resources, including SQL databases and Azure storage accounts. (For more information, see Enable the Microsoft Power Platform integration.)
- This feature is being gradually rolled out across regions and might not yet be available in your region.
- CMK policy enforcement doesn't include cloud-hosted environments because these environments are deployed in customer-managed subscriptions. For more information on best practices for securing cloud-hosted environment, see Secure one-box development environments.
- Refer to Licensing requirements for customer managed key.
Enable CMKs
You can enable enforcement of the CMK policy for finance and operations environments where Microsoft Power Platform integration is enabled). Finance and operations environments without Microsoft Power Platform integration will continue to use Microsoft-managed keys to encrypt their data.
After the CMK policy is enabled, it also applies to environment-specific resources, including SQL databases and Azure storage accounts. For details and exceptions across services, see the CMK support across finance and operations apps section later in this article.
To enable customer-managed keys for your finance and operations apps environment, follow these steps:
Enable the Microsoft Power Platform integration.
Note
If you set up integration with an existing Power Platform environment, CMKs shouldn't be enabled in that environment before integration. (Support for that scenario will be enabled in future.)
After Microsoft Power Platform integration is enabled, the environment name will be shown in the Power Platform environment information on the environment details page in Microsoft Dynamics Lifecycle Services. This name is also the name of your Dataverse organization. Make a note of the environment name, because you'll need it for the next steps.
Note
The name of your finance and operations environment might differ.
Enable CMKs in Microsoft Power Platform, and create an enterprise policy.
Add the environment that has the previously noted name to the enterprise policy.
CMK support for add-ins
Lifecycle Services might provide several add-ins for finance and operations environments that are integrated with Microsoft Power Platform. However, some add-ins provide only partial support, or no support, for CMKs. The following table describes the limitations that apply to various add-ins.
| Add In | Status |
|---|---|
| Tax Calculation | Deployments of the Tax Calculation add-in that use the stand-alone Regulatory Configuration Service (RCS) don't support CMKs for the encryption of related resources. Support for CMKs is expected in late 2023, when RCS functionality is added to the finance and operations platform. |
| Electronic Invoicing | Deployments of the Electronic Invoicing add-in that use stand-alone RCS don't support CMKs for the encryption of related resources. Support for CMKs is expected in late 2023, when RCS functionality is added to the finance and operations platform. |
| All other add-ins | All other add-ins support CMK policies. |
CMK support across finance and operations apps
Not all finance and operations apps support CMK policies. The following table describes the CMK support status of each app.
| App | Status |
|---|---|
| Dynamics 365 Supply Chain Management | Finance and operations environments that are provisioned under Dynamics 365 Supply Chain Management support CMKs for the encryption of all environment-specific resources at rest. |
| Dynamics 365 Human Resources | Dynamics 365 Human Resources installations that are provisioned via a finance and operations environment support CMKs for all environment-specific resources. The Human Resources stand-alone app doesn't support CMKs. To enable the use of CMKs, you must first use migration tooling to migrate your stand-alone Human Resources environment to a finance and operations environment. |
| Dynamics 365 Finance | Finance and operations environments that are provisioned under Dynamics 365 Finance support CMKs for all environment-specific resources. Note: If you use RCS to complement your Dynamics 365 Finance environment, data that's managed under RCS environments doesn't currently support CMKs. Support for CMKs is expected in late 2023, when RCS functionality becomes available for finance and operations apps. |
| Dynamics 365 Commerce | Finance and operations environments that are provisioned under Dynamics 365 Commerce support CMKs for all environment-specific resources except the e-commerce content management system (CMS) and recommendations. CMK support for the e-commerce CMS is expected to be enabled in the future. CMKs can't be applied to Commerce Scale Units, e-commerce, and ratings and reviews components that are located in a different geo than the finance and operations environment that CMKs are enabled for. |
| Microsoft Dynamics Lifecycle Services | Data that you store in Lifecycle Services (such as file assets, methodologies, task recorder data, and any other project metadata) won't be encrypted by using CMKs. CMK support for Lifecycle Services metadata is expected sometime in the future. |
| Demand planning app | Demand planning app for Dynamics 365 Supply Chain Management doesn't fully support CMKs. Full CMK support is expected sometime in the future. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for