Services
Affected Platforms
Summary
Microsoft 365 Apps users can now use Double Key Encryption (DKE) to protect sensitive content. DKE ensures that only the user can decrypt protected content. Sensitivity labels configured with DKE are available for use in Word, Excel, PowerPoint, and Outlook. General availability is scheduled for mid-August 2023 for the Current channel and mid-September 2023 for the Monthly Enterprise channel. Organizations that have enabled co-authoring for files encrypted with sensitivity labels can now deploy DKE labels. Users can benefit from M365's collaboration tools even if some of their documents require DKE content. Organizations already using DKE with the Azure Information Protection add-in can enable co-authoring for encrypted files and plan their migration to the built-in labeling client before the add-in is retired in April 2024.
Details
Updated March 15, 2024: We have updated the rollout timeline below. Thank you for your patience.
To protect your most sensitive content, users of Microsoft 365 Apps can now use Double Key Encryption (DKE) for files and emails using the built-in labeling client. With DKE, Microsoft stores one key in Microsoft Azure and you hold the other key, ensuring that only you can ever decrypt protected content, under all circumstances. Sensitivity labels configured with DKE in Microsoft Purview Compliance Portal are now available for users in Word, Excel, PowerPoint, and Outlook to publish or consume content protected with DKE.
This message is associated with Microsoft 365 Roadmap ID 124984
When this will happen:
General availability:
- Current channel available mid-August 2023
- Monthly Enterprise channel available mid-September 2023
- Semi Annual Enterprise Channel late March 2024 (previously mid-February)
How this will affect your organization:
Users who have sensitivity labels configured with DKE will be able to publish and consume DKE-protected content using the built-in labeling client in Word, Excel, PowerPoint, and Outlook.
With this update, organizations that have also enabled "co-authoring for files encrypted with sensitivity labels" can now deploy DKE labels in the same tenant, allowing users to benefit from M365's collaboration tools even if some of your users require DKE content for some of their documents.
What you need to do to prepare:
If you're already using DKE with the Azure Information Protection (AIP) add-in, you can now enable co-authoring for encrypted files and start planning your migration to the built-in labeling client before the add-in is retired in April 2024 (https://aka.ms/AIP2MIP/RetireAddin).
If you've been considering DKE for your organization, now is the time to plan for DKE in your environment using the built-in labeling client instead of attempting to deploy it through the AIP Add-in. (https://aka.ms/AIP2MIP/HowTo/GetStarted)