Operations for your Azure Information Protection tenant key
Are you looking for Microsoft Information Protection? The Azure Information Protection unified labeling client is currently in maintenance mode. We recommend enabling Microsoft Information Protection's built-in labeling for your Office 365 applications. Learn more.
Depending on your tenant key topology for Azure Information Protection, you have different levels of control and responsibility for your Azure Information Protection tenant key. The two key topologies are Microsoft-managed and customer-managed.
When you manage your own tenant key in Azure Key Vault, this is often referred to as bring your own key (BYOK). For more information about this scenario and how to choose between the two tenant key topologies, see Planning and implementing your Azure Information Protection tenant key.
The following table identifies the operations that you can do, depending on the topology that you’ve chosen for your Azure Information Protection tenant key.
|Life cycle operation||Microsoft-managed (default)||Customer-managed (BYOK)|
|Revoke your tenant key||No (automatic)||Yes|
|Rekey your tenant key||Yes||Yes|
|Backup and recover your tenant key||No||Yes|
|Export your tenant key||Yes||No|
|Respond to a breach||Yes||Yes|
After you have identified which topology you have implemented, select one of the following links for more information about these operations for your Azure Information Protection tenant key: