Using Data Security Manager with DKE for Microsoft 365

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) with Microsoft 365 Double Key Encryption (DKE). It also contains the information that a user needs to:

  • Create Encryption Key in Fortanix DSM.
  • Configure and deploy the DKE Service in Microsoft Azure/IIS.
  • Create Sensitivity label with DKE encryption enabled in Microsoft 365 account.
  • Use Double Key Encryption labels to protect data.

2.0 Prerequisites

  • A Fortanix DSM Account.
  • Access to the following services in the Microsoft Azure Portal:
    • App Services (if deploying DKE service on Azure)
    • Active Directory
    • App Registration
  • Microsoft Compliance Centre
  • For Microsoft (MS) Office end-user: Microsoft 365 Apps for enterprise version 2009 or later installed on your Windows desktop.
    • Make sure Microsoft Active Directory Rights Management Services Client filemsipc.dll is installed at one of these locations.
      • C:\Program Files (x86)\Microsoft Office\root\Office16\MSIPC
      • C:\Program Files\Microsoft Office\root\Office16\MSIPC
    • If not present, try reinstalling MS Office.

3.0 Configuring Fortanix Data Security Manager

  1. Sign up at
  2. Log in to the Fortanix DSM UI.
  3. Click the Integrations tab in the left panel.
  4. On the Integrations page, click ADD INSTANCE on the Microsoft DKE wizard. An instance configured in Fortanix DSM maps to your Microsoft account and provides encryption to your entire Microsoft office account. The generated API key would be required while deploying the Microsoft DKE Service.
  5. Enter the Instance Name to identify the instance created. Note that the instance name must be unique or else it would display an error message, "Microsoft DKE instance with this name already exists".
  6. Click SAVE INSTANCE. Saving the instance creates a group (nomenclature: microsoftDKE_Group_instancename), an application, and an RSA key (nomenclature: microsoftDKE_Key_Instancename) under the group. An API key is used to authenticate the application.
  7. You can view all the instances by clicking View all on the Microsoft DKE wizard.
  8. In the detailed view of the instances:
    1. Note down the API Key. This is required while deploying the DKE Service. To copy the API Key, click COPY API KEY.

    2. To manage operations on the RSA key, click MANAGE.
    3. By default, the instance created is in an ‘Enabled’ state. To disable the instance, click the Disable toggle.

4.0 Deploy DKE Service

A Double Key Encryption Service is required to be deployed, which exposes the external key for use by Microsoft 365 services. Microsoft provides a sample DKE Service code which works with local encryption key file

The Fortanix provided DKE Service is enhanced to add support for the Fortanix DSM Keys. This now provides encryption keys and offloads decryption operations to Fortanix DSM, instead of operating on local key files.

The DKE service can be easily installed as Azure App Service or on your on-premises IIS Server.

4.1 Deploy on IIS

  1. Download the DKE Service deployment bundle from here
  2. Unzip this zip file into the IISwwwrootfolder. For example:C:\inetpub\wwwroot\AspNetCore46
    1. Edit the appsettings.json file and add configurations as per Section 4.3.
    2. Load your application.
Make sure that the IIS deployment is accessible over the internet to your Microsoft Office end-user. This is because Microsoft Apps directly access DKE Service for Key access and decryption.

4.2 Deploy on Azure APP Service

  1. Download the DKE Service deployment bundle as explained in Step 1 of Section 4.1.
  2. Unzip the zip file locally into a temporary folder. Edit the appsettings.json file and add configurations as per Section 4.3. Zip the folder again. The zipped file is required while installing DKE Service in Section 4.2.1.
  3. In your browser, log in to the Microsoft Azure portal and go to App Services > Create.
  4. In the Create Web App form:
    1. Select your subscription and resource group and define your instance details.
    2. Enter the Name which will form the DKE Service endpoint.
    3. For the Publish field, select Code.
    4. For the Runtime stack field, select .NET Core 3.1 (LTS).
    5. Click Review + create, to go to the Review+create tab, and then select Create to deploy your web application.REVIEWAND_CREATE.png
      Figure 1: Create web app

4.2.1 Publish Code

After the Web App is created, the actual DKE Service can be installed by uploading the DKE service artifact zip file as follows:

  1. Go to“https://<WebAppName>". For example: .
  2. Drag and drop the DKE service zip file as per Step 2 of Section 4.2.

4.3 Configure DKE Service

The DKE service requires a few configurations to be set up as explained in the sections below. Set the deployment configuration in the file appsettings.json as follows:

4.3.1 Tenant ID

  1. Edit the section ValidIssuers and update the value:

    where <tenantid> is the Azure Active Directory tenant ID. For example:
"AzureAd": {
      "Instance": "",
      "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
      "TenantId": "common",
      "Authority": "",
      "TokenValidationParameters": {
     	      "ValidIssuers": [

4.3.2 JWT Audience

  1. Edit the sectionJwtAudience with the endpoint of the IIS server or Azure App Service endpoint. For example:
"JwtAudience" : ""

4.3.3 DSM API Endpoint

  1. Edit the section FortanixDSMConfig:ApiEndpoint with the endpoint of the Fortanix DSM cluster. For example:
"FortanixDSMConfig": {
    "ApiEndpoint": ""

4.3.4 DSM API Key

  1. Edit the section FortanixDSMConfig:ApiKey with the authentication DSM API Key copied from Section 4. For example:
"FortanixDSMConfig": {
   "ApiKey": "BJ0oijJYHYU78h6g...05KGkh84GJLK"

4.3.5 Authorized Email Addresses

This is an optional configuration.
  1. Add section AuthorizedEmailAddress with the list of specific users allowed to use Fortanix DSM keys for decryption. If this is empty or not present, then all the users from your Azure AD tenant are allowed access. For example:
"AuthorizedEmailAddress": ["", ""]

4.3.6 Final Configuration

The following JSON is an example of the final appsettings.jsonfile:

  "AzureAd": {
           "Instance": "",
    	     "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
    	     "TenantId": "common",
    	     "Authority": "",
    	     "TokenValidationParameters": {
      		      "ValidIssuers": [""]
   "Logging": {
    	     "LogLevel": {
      		      "Default": "Information"
    	     "EventLog": {
      		      "LogLevel": {
        		       "Default": "Information"
  "AllowedHosts": "*",
  "JwtAuthorization": "",
  "JwtAudience": "",
  "AuthorizedEmailAddress": ["", ""],
  "FortanixDSMConfig": {
	     "ApiEndpoint": "",
	     "ApiKey": "BJ0oijJY...0kh84GJLK"

4.4 Register DKE APP in Azure AD

The deployed DKE Service must be registered for Microsoft 365 access. This registration allows Microsoft apps to generate authentication tokens for the DKE service.

  1. In your browser, open the Microsoft Azure portal, and go to All Services > Other > App registrations.
  2. Select New registration and enter a meaningful name.
  3. Select an account type from the options displayed (usually the value to be selected is “Single tenant”).MicrosoftDKE6.png
    Figure 2: Register application
  4. At the bottom of the page, select Register to create the new App Registration.
  5. In your new App Registration, in the left pane, under Manage, select Authentication.
  6. In the Platform configurations, click Add a platform.Add_a_platform.png
    Figure 3: Add a platform
  7. On the Configure platforms popup, select Web.configure_web.png
    Figure 4: Configure a web
  8. In the Configure Web form:
    1. Under Redirect URIs, enter the URI of your DKE service. Enter the DKE Service Endpoint URL, For example:
    2. Under Implicit grant and hybrid flows, select the ID tokens check box.
    3. Click Configure to save your changes.
  9. On the left pane of App registrations, select Expose an API.
  10. On the Expose an API page, to set the Application ID URI, click Set.
    1. Enter the DKE Service endpoint URL, For example: click Save.
  11. In the Scopes defined by this API section, select Add a scope.
  12. In the Add a scope form:
    1. Define the Scope name asuser_impersonation.
    2. Select the administrators and users who can consent.
    3. Define any remaining values required.
    4. Click Add scope to save your changes.Add_a_scope.png
      Figure 5: Add a scope
  13. On the Expose an API page, in the Authorized client applications section, select Add a client application. In the new client application:
    1. Define the Client ID asd3590ed6-52b3-4102-aeff-aad2292ab01c ( Use this exact value). This value is the Microsoft Office client ID which enables Microsoft Office to obtain an access token against the DKE Service.
    2. Under Authorized scopes, select the user_impersonation scope.
    3. Click Add application to save your changes.Add_a_client_application.png
      Figure 6: Add a client application
  14. Repeat the above steps for another Client ID as c00e9d32-3c8d-4a7d-832b-029040e7db99 (Use this exact value). This value is the client ID for Microsoft Azure Information Protection Client.

Your DKE service is now registered. Continue by creating sensitivity labels using DKE.

4.5 Create Sensitivity Labels Using DKE

In the Microsoft 365 compliance center:

    1. Create a new sensitivity label and apply encryption as you would otherwise.
    2. Select Use Double Key Encryption and enter the endpoint URL for your key. For example
      where MicrosoftDKEServiceKey is the name of the Fortanix DSM key created in Section 4.0.MicrosoftDKE7.png
      Figure 7: New sensitivity label

      Any DKE labels that you add will start appearing for users in the latest versions of Microsoft 365 Apps for the enterprise.
      Now you can apply these labels to the Microsoft documents. Once these labels are applied, the document is kept encrypted using Fortanix DSM Keys.

5.0 References

  1. Double Key Encryption for Microsoft 365:
  2. Double Key Encryption Troubleshooting guide by Microsoft:
  3. Fortanix DSM Getting started:


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful