Encryption is a mechanism that's used to protect information from unauthorized access. Microsoft 365 implements several encryption technologies across the platform. Encryption is enforced for data in two core states:

• At rest: Data that is stored in the service. This includes files and documents uploaded to OneDrive, SharePoint, and Teams, as well as email content. Data at rest is protected through the use of BitLocker, Distributed Key Manager (DKM), and Customer Key for Office 365. Depending on the service, data may also be stored in blob storage, with each chunk being encrypted using the Key Store.
  
• In transit: Refers to data that is being transferred between clients and services, as well as between different endpoints within the service and data centers. Data in transit is protected via Transport Layer Security (TLS) and IPSec. TLS is typically used to secure traffic application-layer traffic between clients and services, while IPSec is used to secure the underlying physical or logical networking connections.

In addition to the built-in encryption technologies, customers can also apply unique content encryption to files and email messages using the Azure Information Protection client. Not only does Azure Information Protection provide data classification services, as we described earlier, but it can also be used to encrypt content at the file or document level.

The following diagram depicts how Azure Information Protection encryption works:

Customers in highly-regulated industries may be required to control the encryption keys that are used in the service. To accomplish this, organizations may use the Customer Key service, which allows them to manage the key life cycle and can be used to encrypt data in the following services:

• Exchange Online, including Skype for Business Online and Microsoft Teams data stored in user mailboxes
• Files stored in OneDrive and SharePoint Online

Setting up the Customer Key service requires additional Azure services, such as Key Vault, as well as further considerations that are out of the scope of this book. You can learn more about Customer Key here: https://docs.microsoft.com/en-us/microsoft-365/compliance/controlling-your-data-using-customer-key.