Getting started with tenant root keys

Note

Are you looking for Microsoft Information Protection? The Azure Information Protection unified labeling client is currently in maintenance mode. We recommend enabling Microsoft Information Protection's built-in labeling for your Office 365 applications. Learn more.

After planning, creating, and configuring your tenant key as needed, continue with the following steps:

For more information about the life-cycle operations supported for your tenant key, see Operations for your Azure Information Protection tenant key.

If your organization requires on-premises protection for highly sensitive content, configure DKE protection (unified labeling client only).

Start using your tenant key

Activate the Rights Management service if it's not yet activated, to enable your organization to start using Azure Information Protection. Users immediately start to use your tenant key.

For more information, see Activating the protection service from Azure Information Protection.

Note

If you decided to manage your own tenant key after the Rights Management service was activated, users are gradually transitioned from the old key to the new key over the course of a few weeks.

During this transition, documents and files that were protected with the old tenant key remain accessible to authorized users.

Consider usage logging

Usage logging logs every transaction that the Azure Rights Management service performs.

Depending on your key management method, logging information may include details about your tenant key. The following image shows an example from a log file displayed in Excel, where the KeyVaultDecryptRequest and KeyVaultSignRequest request types show that the tenant key is being used.

log file in Excel where tenant key is being used

For more information about usage logging, see Logging and analyzing the protection usage from Azure Information Protection.