Q. I want to use Azure RMS however I am concerned about Microsoft having the key to all my protected content, is there anything I can do?
A. Rights Management Services (RMS) is a solution available on-premises as part of Active Directory (AD RMS) and in the cloud, Azure RMS. Both work the say way to protect content. The figure below shows how RMS works.
Notice that each RMS protected file is protected by its own unique symmetric key. That key is placed in the license file of the file and protected using the tenant key. This is why it is so important to protect the tenant key. Note that the actual file content is never sent to the RMS infrastructure (on-premises or Azure RMS) but rather the RMS-enlightened application that accesses the RMS protected content calls. The RMS client then communicates with the RMS service to enable access to the key to access the content by sending the license part of the file to RMS.
An option available in Azure RMS is to bring your own key (BYOK). With BYOK you control the master organizational root trust key (also called the tenant key) which is used to decrypt the license that is part of each RMS protected file. When first made available, to use BYOK you had to actually fly to Redmond to upload your key into the HSMs. However, it is now possible to do this over the wire making it far simpler. This process is documented at http://blogs.msdn.com/b/rms/archive/2014/04/02/azure-rms-byok-now-without-flying.aspx. Therefore if you want to use Azure RMS but don't want Microsoft to have access to your organizations root trust key then use the BYOK approach. Microsoft has more details on the differences between a Microsoft managed key and BYOK at https://technet.microsoft.com/en-us/library/dn440580.aspx.