Microsoft Purview: eDiscovery - CMK (Customer managed key) for eDiscovery direct export

Introduction

To strengthen customer control over sensitive investigation data, Microsoft is extending Customer-managed key (CMK) protection to Microsoft Purview eDiscovery Direct Export. For tenants that have configured Data Encryption Policies (DEPs) using the Microsoft 365 Data-at-Rest Encryption Platform (MDEP), eDiscovery export packages will now be automatically encrypted using your organization’s CMK. This helps ensure exported investigation data remains protected under customer-controlled encryption policies throughout the export lifecycle, without changing the existing eDiscovery user experience.

This message is associated with Microsoft 365 Roadmap ID 557684.

When this will happen:

• Public Preview: We will begin rolling out early May 2026 and expect to complete by early June 2026.
• General Availability (Worldwide):  We will begin rolling out mid-June 2026 and expect to complete by mid-July 2026.

How this affects your organization:

Who is affected:

• Microsoft 365 tenants with Customer-managed keys enabled through Data Encryption Policies (DEPs), and request that Microsoft Support enable this feature for Purview eDiscovery Direct Export in their tenant
• Admins and investigators using Microsoft Purview eDiscovery Direct Export

What will happen:

• eDiscovery Direct Export packages for CMK‑enabled tenants will be encrypted at rest using tenant‑owned keys.
• Encryption is applied automatically based on existing DEP configuration.
• CMK configuration is dynamically validated through MDEP at export time.
• No change to the eDiscovery user experience.
• Only enabled for specific tenants by request to Microsoft Support 

What you can do to prepare:

To use CMK encryption for eDiscovery Direct Export, your organization must complete the following steps:

1. Configure Customer Key (self-service) Your Microsoft 365 administrator must have Customer Key enabled through the Microsoft 365 Data-at-Rest Encryption Platform (MDEP) with a DEP in PolicyAssigned status.
• This requires:
  • Two Azure subscriptions dedicated to Customer Key
  • Azure Key Vault(s) with RSA keys provisioned
  • A DEP created and assigned to your tenant
  • Follow the setup guidance here: Create two new Azure subscriptions | Microsoft Learn
2. Request feature enablement (contact Microsoft Support)
   • After Customer Key is configured, your organization must contact Microsoft Support to request that CMK for eDiscovery Direct Export be enabled for your tenant. This feature requires Microsoft-side service configuration that is not automatically applied. Work with your Microsoft Support contact or Customer Success Account Manager (CSAM) to complete enablement.

Important:

• If your tenant does not have CMK properly configured through MDEP at export time, direct export jobs will proceed without CMK encryption.
• No changes to the eDiscovery user experience are required — CMK encryption is applied transparently to export packages.
• Encryption scopes, storage accounts, and containers are managed automatically by the service; no additional storage configuration is needed.
• Exported data retention remains 14 days, unchanged by CMK.

Learn more: Export search results in eDiscovery | Microsoft Learn

Compliance considerations: