Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Customers might have data privacy and compliance requirements to secure their data by encrypting their data at rest. This method ensures data is protected from bad actors, even if the storage is compromised, because the bad actors can't get access to the data without the encryption key.
All customer data stored in Copilot Studio is encrypted at rest with strong Microsoft-managed encryption keys by default. Microsoft stores and manages the database encryption key for all your data, so you don't have to. However, Power Platform provides an option to use customer-managed encryption key (CMK) for added data protection control. You can self-manage the database encryption key that is associated with your Microsoft environment. This capability allows you to rotate or swap the encryption key, and prevents Microsoft from having access to your customer data when you revoke key access to our services.
Copilot Studio supports CMK, which lets customers control access to their data within Copilot Studio. We support the standard Power Platform implementation, and customers don't need to do anything specific to enable CMK for Copilot Studio. Power Platform supports CMK for Managed Environments only.
Enable CMK for Copilot Studio
Copilot Studio supports the Power Platform implementation of CMK. For more information, see Manage your customer-managed encryption key. When CMK is turned on for the Copilot Studio environment, all Copilot Studio data is encrypted using the customer's key. The customer can cycle keys or turn off CMK as needed.
Important
Data within environments that already have CMK turned on before April 7, 2025 continue to use Microsoft-managed keys for encryption. To use CMK in environments that had CMK turned on before that date, turn off CMK and then turn it on again.
Once CMK is turned on, all future changes and data is encrypted using the customer's key. Any previously persisted data continues to use the Microsoft-managed keys for encryption.
Microsoft recommends that you test CMK support for Copilot Studio in a new test environment, and not in a production environment, especially not in an environment with live customer traffic.
Maker and agent user experience when CMK is applied
Copilot Studio is integrated within Power Platform CMK processes. When CMK is first turned on in Power Platform, it can take up to 48 hours to fully activate, which means Copilot Studio services aren't available until activation is complete.
Data covered by CMK
CMK applies to the following Copilot Studio data:
- All data in agent definitions
- Published snapshots of agent definitions
- Agent telemetry
- Agent user conversations
Note
CMK doesn't apply to agents built in Microsoft 365 Copilot, because they're not tied to an environment.