Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            1656 - How to revert your company KMS to CyberSentriq-managed KMS

            Modified on Fri, 17 Apr at 8:58 AM

            This article shows you how to revert your company from customer-managed encryption (e.g. Azure Key Vault) to CyberSentriq-managed encryption. This is as significant a change as the original switch, so CyberSentriq needs to re-verify every tenant first.


            PAGE CONTENTS


            Before you begin

            What your IT admin needs to prepare

            You will not need to re-grant consent or change any IAM settings. CyberSentriq already has the access it needs to move the encryption once more. 

            Plan ahead for what happens to your KMS (e.g. Azure Key Vault) key after the revert. Once CyberSentriq has moved your encryption back to CyberSentriq-managed, that key is no longer used by CyberSentriq — you can keep it, disable it, or delete it per your own retention policy. Do not disable or delete this key before the revert completes as this will cause the final step to fail.


            What you need in RedApp

            • You are signed in as a Partner Admin or Company Admin.
            • Your company is currently on Azure Key Vault or AWS KMS. (If you are already on CyberSentriq-managed encryption, there is nothing to revert.)


            How to revert

            1. In RedApp, open Key Management and choose Manage KMS. Confirm the current KMS provider.
            2. Choose Revert to CyberSentriq-Managed and confirm.
            3. All Microsoft 365 and Google Workspace tenants from your backup sets will now appear Unverified, even those you verified during the original switch to customer-managed encryption.
            4. Re-verify each tenant as shown in the next section.
            5. Once every tenant has been verified, RedApp will automatically finish the revert. Your backup encryption keys will be moved off your Azure/AWS key and back onto the CyberSentriq-managed key. The KMS status will show as CyberSentriq-managed.
            6. Once the revert is complete, you can safely disable or delete your Azure Key Vault key or AWS KMS key if you no longer need it.
            If your company has no Microsoft 365 or Google Workspace tenants in any backup sets, the revert will complete immediately with no tenant verification required.


            Verifying your tenants

            Tenant ownership is re-checked on every major key change, including reverts. Every tenant, even the ones you verified during the original switch to customer-managed encryption, must be verified again. This protects your data from being re-keyed by an unauthorised party.

            • Microsoft 365 tenants are verified by having a Global Administrator or Privileged Role Administrator grant admin consent. To check a user's role: sign into the Microsoft Entra admin center, go to Users > All usersselect the user, and look under Assigned roles.
            • Google Workspace tenants are verified by having a Super Admin authorise CyberSentriq. Delegated admins will not work. To check a user's role: sign into the Google admin center and go to Account > Admin roles > Super Admin.


            Common issues

            What you seeWhy it happensHow to fix it
            "Company is already using CyberSentriq-Managed encryption"You tried to revert a company that's already on CyberSentriq-Managed.If you have a different pending setup you want to abandon, use Cancel pending setup instead.
            Revert won't complete — tenants stay unverifiedA qualified admin hasn't completed consent for every tenant, or a new backup set was added during the revert and introduced a new tenant.Refresh the tenant list and have the right admin (Global Admin / Privileged Role Admin for M365, Super Admin for Workspace) complete consent for each remaining tenant.
            Revert fails at the final step with a KMS / Key Vault errorYour Azure Key Vault key or AWS KMS key was disabled, deleted, or had its permissions removed before the revert finished — so CyberSentriq can't do the final move.Ask your cloud admin to re-enable the key and restore the permissions CyberSentriq had before, then refresh the tenant list to retry. If the key was permanently deleted, contact CyberSentriq support urgently.
            You changed your mind and want to stay on customer-managedThe revert is still in pending state, so you can back out.Use Cancel pending setup. Your current customer-managed configuration stays active unchanged.
            The tenant list keeps showing new unverified tenantsBackup sets are being added or rescanned mid-revert, and each new set can introduce a tenant that must be verified.Pause backup set changes until the revert completes, or keep verifying new tenants as they appear.


            What to do next

            Once the switch completes, you will have one opportunity to export a copy of your company encryption key without having to re-verify your tenants. If you'd like an off-platform copy for safe-keeping, export the encryption key now by following the steps in Article 1655. 

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0