Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The new and improved Power Platform admin center is now generally available. We're currently updating the documentation to reflect these changes, so check back to ensure that you're getting the latest updates.
Since separate encryption keys can be used to encrypt different Microsoft Dataverse environments, you can separately lock these environments by revoking key vault access to the respective enterprise policy. Locking key vault or key access can only be done by the Azure Key Vault admin. There's no advanced warning to the Power Platform admin or users when an Azure Key Vault admin revoked key access.
Key access revocation can be triggered by completing any of the following tasks:
Revoking key vault permissions from the enterprise policy.
Disabling the encryption key.
Deleting the encryption key.
Deleting the key vault.
Deleting the enterprise policy.
Disabling the key version.
Disabling key vault networking's public access.
Adding a virtual network or adding an IP range outside of Microsoft services' reach.
Caution
You should never revoke key access as part of your normal business process. When you revoke key access, all environments associated with the enterprise policy are taken offline immediately and your users, who were active in the environment, experience unplanned downtime including data loss. If you decide to leave the service, locking the environment can ensure that your customer data can never be accessed again by anyone, including Microsoft. Note the following information about locked environments:
- Locked environments can't be restored from backup.
- Locked environment's data can't be copied to another environment.
- Locked production and sandbox environment's data persist in the platform but it can't be accessed.
- Locked sandbox environments are deleted after seven days and production environments are deleted after 30 days if key access isn't restored.
Enterprise policy status check (preview)
[This section is prerelease documentation and is subject to change.]
To ensure the smooth operation of your customer-managed key environments, the health of the enterprise policy is continually monitored. When the Azure key access is revoked, the enterprise policy is flagged as unhealthy and all the environments that are associated with the enterprise policy are shut down automatically. Users can't use these locked-out environments until the Azure key access is restored.
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
When an environment is shut down due to unhealthy enterprise policy status, an Environment disabled message is displayed in the environment details page.
Unlock environments (preview)
[This section is prerelease documentation and is subject to change.]
To unlock environments, all key access permissions must be restored for the original encryption key. The environments can only be turned on when the original Azure encryption key, used to encrypt the customer data, is restored.
Important
- This is a preview feature.
- Preview features aren’t meant for production use and might have restricted functionality. These features are subject to supplemental terms of use, and are available before an official release so that customers can get early access and provide feedback.
Reenable the environments to unlock them.
Sign into the Power Platform admin center.
Select Manage in the navigation pane, and then on the Manage page, select Environments.
On the Environments page, open an environment. Details about the environment are displayed.
In the Environment disabled card, select the Re-enable environment action.
Repeat this step for each environment that's associated with the enterprise policy to enable it.
It can take up to five minutes to re-enable the environment.
Important
Locked environments can be enabled by an admin. The admin must have read access to the enterprise policy when the key access permissions are restored. Environments can be enabled independently by the Power Platform admin after the Azure key is restored.