Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Customers might have data privacy and compliance requirements to secure their data by encrypting their data at-rest. This ensures data is protected from malicious actors, even if the storage is compromised, because the malicious actors can’t get access to the data without the encryption key.
All customer data stored in Copilot Studio is encrypted at-rest with strong Microsoft-managed encryption keys by default. Microsoft stores and manages the database encryption key for all your data, so you don't have to. However, Power Platform provides an option to use customer-managed encryption key (CMK) for added data protection control. You can self-manage the database encryption key that is associated with your Microsoft environment. This capability allows you to rotate or swap the encryption key on demand, and prevents Microsoft's access to your customer data when you revoke key access to our services at any time.
Copilot Studio supports CMK, which lets customers control access to their data within Copilot Studio. We support the standard Power Platform implementation, and customers don't need to do anything specific to enable CMK for Copilot Studio. Power Platform only allows Managed Environments to be enabled for CMK.
Enable CMK for Copilot Studio
Copilot Studio supports the Power Platform implementation of CMK. For more information, see Manage your customer-managed encryption key. When CMK is turned on for the Copilot Studio environment, all Copilot Studio data is encrypted using the customer's key. The customer can cycle keys or turn off CMK as needed.
Important
Data within environments that already have CMK turned on before April 7, 2025 continue to use Microsoft managed keys for encryption. In order to use CMK in environments that have CMK turned on prior to that date, remove CMK and then turn it on again.
Once CMK is turned on, all future changes and data is encrypted using the customer's key. Any previously persisted data continues to use the Microsoft managed keys for encryption.
Microsoft recommends that you test CMK support for Copilot Studio in a new test environment, and not in a production environment, especially not in an environment with live customer traffic.
Maker and agent user experience when CMK is applied
Copilot Studio is integrated within Power Platform CMK processes. When CMK is first turned on in Power Platform, it can take up to 48 hours to fully activate, which means Copilot Studio services aren't available until activation is complete.
Data covered by CMK
The following Copilot Studio data is included in CMK:
- All data in the agent definition
- Published snapshots of the agent definition
- Agent telemetry
- Agent user conversations
Note
Agent Builder agents aren't covered by CMK, because they're not tied to an environment.