Set-AipServiceKeyProperties

Set-AipServiceKeyProperties
    [-Force]
    -KeyIdentifier <String>
    -Active <Boolean>
    [-WhatIf]
    [-Confirm]
    [-RefreshSlcName]
    [<CommonParameters>]

The Set-AipServiceKeyProperties cmdlet changes an Archived status for a specified key object for the tenant to be Active. Because there can be only one active tenant key at any one time, the previously active tenant key is automatically set to Archived.

New users of Azure Information Protection immediately use the identified tenant key to protect content. Existing users of the service gradually transition from the previously active tenant key to the newly active tenant key, and this staggered transition can take a few weeks to complete. You can force the update on clients by re-initializing the user environment (also known as bootstrapping). Documents and files that were protected with the previously active tenant key remain accessible to authorized users by using the tenant key that is now archived.

Setting the tenant key object status to Active also resigns all protection templates with the newly active tenant key. Because this can be a time-consuming operation, especially if you have many protection templates, we do not recommend that you run this operation frequently.

To run this cmdlet, you must specify the KeyIdentifier for the tenant key object that you want to set to Active. To get this value, use the Get-AipServiceKeys cmdlet.

Unless you are in middle of a migration from AD RMS, do not activate a 1024-bit RSA key, which is considered an inadequate level of protection. Microsoft doesn’t endorse the use of lower key lengths such as 1024-bit RSA keys and the associated use of protocols that offer inadequate levels of protection, such as SHA-1. We recommend moving to a higher key length.

For more information about the tenant key, see Planning and implementing your Azure Information Protection tenant key.

PS C:\> Set-AipServiceKeyProperties -Force -KeyIdentifier "c0f102b3-02cc-4816-b732-fcee73edd0e6" -Active $True

This command changes the status of a tenant key object from Archived to Active. The KeyIdentifier parameter identifies the tenant key object to change, and this value can be found by running Get-AipServiceKeys. The tenant key object that previously had a status of Active is automatically set to Archived.

Because the command specifies the Force parameter, the command does not prompt you for confirmation.

PS C:\> Set-AipServiceKeyProperties -KeyIdentifier "c0f102b3-02cc-4816-b732-fcee73edd0e6" -RefreshSlcName

This command retrieves the current tenant friendly name from Azure Active Directory and updates the SLC to have the user keys reflect the same name.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.