Microsoft 365 Double Key Encryption(DKE)

On 7/21/2020, Microsoft released a new encryption which is going to help in securing mission critical data. This is a major breakthrough in the Microsoft security world. We have been using Microsoft Azure Information Protection and this will add another label. However it is not that simple to create the label for Double Key Encryption (DKE) because you need to create an app.

What is Double Key Encryption?

Microsoft 365 provides built-in data protection by encrypting customer office 365 data, both while keeping and in transitioning. For addition protection, we encrypt the data at the application layer and provide flexible key management solutions. Double Key Encryption helps organizations protect the mission-critical and highly sensitive data ((e.g., trade secrets, patents, and financial algorithms) while keeping full control of your encryption key. It uses two keys to protect the data, first key in customer control, and the second key is stored in Microsoft Azure. Both of the keys will be required to view data protected with Double Key Encryption. Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security. So, in a nutshell, even Microsoft (provider) with admin privileges can’t access the data or open the backdoors.

Double Key Encryption
will be
used in Public Sector, Defense, CJIS Orgs, Financials, and Medical organizations.
We know many organizations had
security concerns on keeping the data in Microsoft cloud with the concern of Encryption key is still with Microsoft.
Now these organizations can move these documents to Microsoft cloud and encrypt the documents with
“Double Key Encryption”. We can see a huge adoption of Double Key Encryption” in the
Public Sector, Defense, CJIS Orgs, Financials, and Medical

Double Key Encryption allows us to store the data & key in the same location and help meet regulatory requirements across several regulations and standards such for example General Data GDPR, HIPAA, GLBA, Russia’s data localization law – Federal Law No. 242-FZ, Australia’s Federal Privacy Act 1988, and New Zealand’s Privacy Act 1993.

Where will it show up?

If you configure today then it will show in the preview and it will show up right below under “Assign permissions to specific users and groups.”

Wait a minute. I guess many of us went ahead to create a label, and found it missing.

You will not find this option yet.

We need to follow the steps mentioned in the below mentioned blog to enable “Double Key Encryption”.

When deployed the Double Key Encryption, we had to follow the YouTube video by Kevin McKinnerney who does not exist in the public networking as LinkedIn and twitter.

Overall here are the simple steps are mentioned below:

  • Create and Configure Azure App.

  • Register and Configure then app in the Azure Active Directory.

  • Configure Sensitivity label in Security and Compliance Admin center.

  • Publish Sensitivity label.

On the clients configure the following:

  • Install Office 365 Proplus insider version (CurrentPreview) which should be version *.12711 or later.

  • Configure following registry key.





DKE only supports Word, Excel, and PowerPoint. No support for OneNote and outlook emails.

Here is how it will look like.

For all queries contact us at or schedule a call at

Best Regards,
Prabhat Nigam
CEO at LAEXUG Foundation 
CTO at Golden Five Consulting

CTO @ Golden Five | CEO at LAExUG Foundation

Prabhat is 3 times Microsoft MVP Award winner. He is MBA in Information Technology and he is working as a CTO at Golden Five Consulting which is a Microsoft Gold Partner, MSP, T1CSP, and Education partner. He helps in designing, implementing, managing and supporting solutions for private messaging cloud, mergers, a collaboration between different messaging software and other migration & deployment projects for the following technologies Office 365, Azure, AWS, Exchange, SQL, ADFS, MFA, FIM, MIM and Directory services. He has worked for all big IT giants either as an employee or contractor where he has led the Global teams. He has started his career as Technical Consultant in Exchange 5.5 with Microsoft PSS and his exchange love never stopped & continued with 2000/2003/2007/2010/2013/2016/2019/O365. At one point in time, he was the only person to support EDS customers when Microsoft had closed all the supports for 5.5 and now for all old legacy Exchange versions.
He used to blog at, manages multiple LinkedIn and Facebook Groups. He also Owns MSExchnageGuru YouTube channel where he uploads all his records technical sessions. Don’t forget to check his PowerShell scripts which are making admins life easier. Prabhat can be reached at

Leave Comment

Your email address will not be published. Required fields are marked *