Managing Dynamics 365 Online Encryption Key

Today, when I navigate to edit one of the Dynamics 365 Online instances, I just noticed a new section that is available on my trial instance: “database encryption settings”

So, what can you do with this shiny new feature?

Based on the official documentation for this feature from Microsoft: https://technet.microsoft.com/en-us/library/mt492471.aspx

The manage keys feature lets you perform the following tasks.

• Enable the ability to self-manage database encryption keys that are associated with Dynamics 365 (online) instances.
• Generate new encryption keys or upload existing .PFX or .BYOK encryption key files.
• Lock a Dynamics 365 (online) instance.

  Caution

  You should never lock an instance as part of your normal business process. While a Dynamics 365 (online) instance is locked it takes the instance completely offline and it cannot be accessed by anyone, including Microsoft. Additionally, services such as synchronization and maintenance are all stopped. An appropriate reason why you would lock an instance is when you move your database from online to on-premises. Locking the instance can make sure that your online data is never accessed again by anyone. A locked instance can’t be restored from backup.

• Unlock a Dynamics 365 (online) instance. To unlock a locked instance of Dynamics 365 (online), you must upload the encryption key that was used to lock it. While a Dynamics 365 (online) instance is locked, it cannot be accessed by anyone.

 

One of the common request when I’m implementing Dynamics 365 (CRM) deployment, is the question around the security & encryption. One of the common ask is whether the platform allows customer-supplied encryption key or not? In the past, my answer is NO. It is all under Microsoft’s managed encryption key.

With this feature being made available, the answer is YES!

Read through the TechNet article above for more details of this new feature and considerations when you are implementing this BYOK 🙂

HTH!