MC1289726 - Microsoft Purview: eDiscovery - CMK (Customer managed key) for eDiscovery direct export

Introduction

To strengthen customer control over sensitive investigation data, Microsoft is extending Customer-managed key (CMK) protection to Microsoft Purview eDiscovery Direct Export. For tenants that have configured Data Encryption Policies (DEPs) using the Microsoft 365 Data-at-Rest Encryption Platform (MDEP), eDiscovery export packages will now be automatically encrypted using your organization’s CMK. This helps ensure exported investigation data remains protected under customer-controlled encryption policies throughout the export lifecycle, without changing the existing eDiscovery user experience.

This message is associated with Microsoft 365 Roadmap ID 557684.

When this will happen:

• Public Preview: We will begin rolling out early May 2026 and expect to complete by early June 2026.
• General Availability (Worldwide):  We will begin rolling out mid-June 2026 and expect to complete by mid-July 2026.

How this affects your organization:

Who is affected:

• Microsoft 365 tenants with Customer-managed keys enabled through Data Encryption Policies (DEPs), and request that Microsoft Support enable this feature for Purview eDiscovery Direct Export in their tenant
• Admins and investigators using Microsoft Purview eDiscovery Direct Export

What will happen:

• eDiscovery Direct Export packages for CMK‑enabled tenants will be encrypted at rest using tenant‑owned keys.
• Encryption is applied automatically based on existing DEP configuration.
• CMK configuration is dynamically validated through MDEP at export time.
• No change to the eDiscovery user experience.
• Only enabled for specific tenants by request to Microsoft Support 

What you can do to prepare:

To use CMK encryption for eDiscovery Direct Export, your organization must complete the following steps:

1. Configure Customer Key (self-service) Your Microsoft 365 administrator must have Customer Key enabled through the Microsoft 365 Data-at-Rest Encryption Platform (MDEP) with a DEP in PolicyAssigned status.
• This requires:
  • Two Azure subscriptions dedicated to Customer Key
  • Azure Key Vault(s) with RSA keys provisioned
  • A DEP created and assigned to your tenant
  • Follow the setup guidance here: Create two new Azure subscriptions | Microsoft Learn
2. Request feature enablement (contact Microsoft Support)
   • After Customer Key is configured, your organization must contact Microsoft Support to request that CMK for eDiscovery Direct Export be enabled for your tenant. This feature requires Microsoft-side service configuration that is not automatically applied. Work with your Microsoft Support contact or Customer Success Account Manager (CSAM) to complete enablement.

Important:

• If your tenant does not have CMK properly configured through MDEP at export time, direct export jobs will proceed without CMK encryption.
• No changes to the eDiscovery user experience are required — CMK encryption is applied transparently to export packages.
• Encryption scopes, storage accounts, and containers are managed automatically by the service; no additional storage configuration is needed.
• Exported data retention remains 14 days, unchanged by CMK.

Learn more: Export search results in eDiscovery | Microsoft Learn

Compliance considerations:

Compliance area	Impact
Encryption methods or key management	eDiscovery Direct Export packages are encrypted at rest using tenant‑owned customer‑managed keys defined in Data Encryption Policies through MDEP.
eDiscovery or Content Search	Direct Export behavior is enhanced to automatically apply tenant‑specific encryption scopes to exported investigation data.
How customer data is processed or stored	Exported investigation data is stored in eDiscovery storage accounts encrypted with customer‑managed keys rather than Microsoft‑managed keys.
Admin controls	Behavior is governed by existing Data Encryption Policies; no new toggle is introduced, but encryption is controlled through CMK configuration.