Roll or rotate a Customer Key or an availability key

Caution

Roll an encryption key used with Customer Key only if required by your organization's security or compliance policies.

Do not delete or disable any keys, including older versions, that are or were associated with encryption policies. When you roll your keys, some content might still be encrypted with the previous keys.

For example:

• Active mailboxes are re-encrypted frequently, but inactive, disconnected, or disabled mailboxes might still use older keys.
• SharePoint retains backup content for restore and recovery, which might also rely on older keys.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

About rolling the availability key

Microsoft doesn't provide customers with direct control over the availability key. For example, you can only roll the keys you manage in Azure Key Vault.

Microsoft 365 rolls the availability key on an internal schedule. There's no customer-facing service-level agreement (SLA) for these key rotations. Microsoft 365 uses service code to rotate the availability key automatically. In some cases, Microsoft administrators can initiate the process, but the key is rolled through automated mechanisms that don't allow direct access to the key store.

Microsoft administrators don't have provisioned access to the availability key secret store. The rolling process uses the same mechanism that generates the key during initial provisioning.

For more information, see Understand the availability key.

Important

For Exchange, you can effectively roll the availability key by creating a new data encryption policy (DEP). Each new DEP generates a unique availability key.

In contrast, availability keys for Customer Key in SharePoint and OneDrive are created at the forest level and shared across DEPs and customers. These keys are rolled only on a Microsoft-defined internal schedule.

To reduce the risk of not rolling the availability key with each new DEP, SharePoint, OneDrive, and Teams roll the tenant intermediate key (TIK) every time you create a new DEP. The TIK is the key wrapped by both the customer root keys and the availability key.

About rolling customer-managed root keys

There are two ways to roll customer-managed root keys:

• Update the existing key by requesting a new version and refreshing the associated data encryption policy (DEP).
• Create and use a newly generated key along with a new DEP.

Instructions for both methods are provided in the following section.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Request a new version of each existing root key you want to roll

To request a new version of an existing key, use the same cmdlet, Add-AzKeyVaultKey, with the same syntax and key name that you used when creating the original key.

After you complete rolling a key associated with a data encryption policy (DEP), run a separate cmdlet to refresh the DEP and ensure that Customer Key uses the new version. Repeat this process in each Azure Key Vault (AKV).

Example:

1. Sign in to your Azure subscription with Azure PowerShell. For instructions, see Sign in with Azure PowerShell.

2. Run the Add-AzKeyVaultKey cmdlet:

   Add-AzKeyVaultKey -VaultName Contoso-CK-EX-NA-VaultA1 -Name Contoso-CK-EX-NA-VaultA1-Key001 -Destination HSM -KeyOps @('wrapKey','unwrapKey') -NotBefore (Get-Date -Date "12/27/2016 12:01 AM")
   

   In this example, a key named Contoso-CK-EX-NA-VaultA1-Key001 already exists in the Contoso-CK-EX-NA-VaultA1 vault. The cmdlet creates a new version of the key. Previous versions are retained in the key's version history.

   You need access to the previous version to decrypt any content that is still encrypted with it.

   Once you complete rolling a key associated with a DEP, run another cmdlet to ensure Customer Key starts using the new version. The following sections describe these cmdlets in more detail.

   Update the keys for multi-workload DEPs

   When you roll either of the Azure Key Vault keys associated with a data encryption policy (DEP) used across multiple workloads, you must update the DEP to reference the new key version. This action doesn't rotate the availability key.

   The DataEncryptionPolicyID property remains the same when updating the DEP with a new version of the same key.

   To instruct Customer Key to use the new key for encryption across multiple workloads, follow these steps:

   1. On your local computer, use a work or school account with the appropriate permissions, and connect to Exchange PowerShell.

   2. Run the Set-M365DataAtRestEncryptionPolicy cmdlet:

   Set-M365DataAtRestEncryptionPolicy -Identity <Policy> -Refresh
   

   Parameter	Description
   -Identity	Unique name or GUID of the data encryption policy

   Update the keys for Exchange DEPs

   When you roll either of the Azure Key Vault keys associated with a data encryption policy (DEP) used with Exchange, you must update the DEP to reference the new key version. This step doesn't rotate the availability key.

   The DataEncryptionPolicyID property for the mailbox stays the same when updating the policy with a new version of the same key.

   To instruct Customer Key to use the new key for mailbox encryption, follow these steps:

   1. On your local computer, use a work or school account with the appropriate permissions, and connect to Exchange PowerShell.

   2. Run the Set-DataEncryptionPolicy cmdlet:

   Set-DataEncryptionPolicy -Identity <Policy> -Refresh
   

   Parameter	Description
   -Identity	Unique name or GUID of the data encryption policy

Use a newly generated key for your DEP

If you choose to use newly generated keys instead of updating existing ones, the process for updating your data encryption policies is different. Rather than refreshing an existing policy, you must create and assign a new data encryption policy that references the new key.

1. To create a new key and add it to your key vault, follow the steps in Add a key to each key vault by either creating or importing a key.

2. After adding the key to your key vault, create a new data encryption policy using the key URI of the newly generated key. For detailed instructions, see Manage Customer Key for Microsoft 365.

Update the keys for SharePoint and OneDrive

SharePoint supports rolling only one key at a time. If you plan to roll both keys in a key vault, wait for the first operation to finish before starting the second. To avoid conflicts, Microsoft recommends staggering your operations.

When you roll either of the Azure Key Vault keys associated with a data encryption policy (DEP) used with SharePoint and OneDrive, you must update the DEP to reference the new key. This process doesn't rotate the availability key.

1. To roll a key for SharePoint and OneDrive, run the Update-SPODataEncryptionPolicy cmdlet:

   Update-SPODataEncryptionPolicy <SPOAdminSiteUrl> -KeyVaultName <ReplacementKeyVaultName> -KeyName <ReplacementKeyName> -KeyVersion <ReplacementKeyVersion> -KeyType <Primary | Secondary>
   

   This cmdlet starts the key roll operation, but the change doesn't take effect immediately.

2. To update a SharePoint and OneDrive policy using keys stored in a Managed HSM, run the following command:

   Update-SPODataEncryptionPolicy <SPOAdminSiteUrl> -KeyVaultURL <ReplacementKeyVaultName> -KeyName <ReplacementKeyName> -KeyVersion <ReplacementKeyVersion> -KeyType <Primary | Secondary>
   

3. To check the progress of the key roll operation, run:

   Get-SPODataEncryptionPolicy <SPOAdminSiteUrl>
   

Related articles

• Overview of Customer Key

• Set up Customer Key

• Manage Customer Key

• Learn about the availability key