Applies to: Azure Information Protection, Office 365
Depending on your tenant key topology (Microsoft-managed or customer-managed), you have different levels of control and responsibility for your Azure Information Protection tenant key after it is implemented.
When you manage your own tenant key in Azure Key Vault, this is often referred to as bring your own key (BYOK). For more information about this scenario and how to choose between the two tenant key topologies, see Planning and implementing your Azure Rights Management tenant key.
The following table identifies which operations you can do, depending on the topology that you’ve chosen for your Azure Information Protection tenant key.
|Lifecycle operation||Microsoft-managed (default)||Customer-managed (BYOK)|
|Revoke your tenant key||No (automatic)||Yes|
|Rekey your tenant key||Yes||Yes|
|Backup and recover your tenant key||No||Yes|
|Export your tenant key||Yes||No|
|Respond to a breach||Yes||Yes|
After you have identified which topology you have implemented, select one of the following for more information about these operations for your Azure Information Protection tenant key:
However, if you want to create an Azure Information Protection tenant key by importing a trusted publishing domain (TPD) from Active Directory Rights Management Services, this import operation is part of the migration from AD RMS to Azure Information Protection.
Before commenting, we ask that you review our House rules.