Lock environments by revoking key vault and/or key permission access
Since separate encryption keys can be used to encrypt different Microsoft Dataverse environments, you can separately lock these environments by revoking key vault access to the respective enterprise policy. Locking key vault or key access can only be done by the Azure Key Vault admin. There's no advanced warning to the Power Platform admin or users when an Azure Key Vault admin revoked key access.
Key access revocation can be triggered by completing any of the following tasks:
Revoking key vault permissions from the enterprise policy.
Disabling the encryption key.
Deleting the encryption key.
Deleting the key vault.
Deleting the enterprise policy.
Disabling the key version.
Disabling key vault networking's public access.
Adding a virtual network or adding an IP range outside of Microsoft services' reach.
Caution
You should never revoke key access as part of your normal business process. When you revoked key access, all environments associated with the enterprise policy will be taken completely offline immediately and your users who were active in the environment will experience unplanned downtime including data loss. If you decide to leave the service, locking the environment can ensure that your customer data can never be accessed again by anyone, including Microsoft. Note the following about environments locking:
- Locked environments can't be restored from backup.
- Locked environment's data can't be copied to another environment.
- Locked production and sandbox environment's data persist in the platform but it can't be accessed.
Unlock environments
To unlock environments, all key access permissions must be restored for the original encryption key. Submit a Microsoft Support request to unlock and enable the environments. The environments can only be enabled when the original encryption key used to encrypt the customer data is restored.
Important
Locked environments can't be enabled by an administrator when the key access permissions are restored. Environments remain disabled until a Microsoft Support request is received.
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for