Data Authorization

A relationship between a Principal and a Data URI. A principal that has authorization to the URI can decrypt all the data identified by this URI. A principal that has lost authorization to the URI may be able to decrypt data encrypted before the authorization was removed. Also, principals with authorization to a URI are able to decrypt and view Data Policy object for this URI.

Data Consumer

The user or an application that decrypts the data on the client machine based on the policies defined by the TSPA. The data consumer downloads the data from Windows Azure and decrypts the data after download. The data consumer performs the decryption step (also referred to as Policy Enforcement) using the Trust Services SDK (.NET library or PowerShell snap-in).

Data Policy

Object stored on Trust Server that declares whether certain data must be encrypted or not. The data is identified by a Data URI. Data Policy (including the URI) is stored encrypted and can only be decrypted by principals that have Data Authorization for this URI.

Data Publisher

The user or an application that encrypts the data on the client machine based on the policies defined by the TSPA. The data publisher performs encryption (based on policies set by TSPA) and uploading of data to Windows Azure (or more generally to any store). The data publisher uploads the encrypted data to Windows Azure outside of the Trust Services system. Typically, the data publisher would upload data using the interfaces provided by Windows Azure (blob, table, or SQL Azure) in an application or tool. The data publisher performs the encryption step (also referred to as Policy Enforcement) using the Trust Services SDK (.NET library or PowerShell snap-in).

Data URI

Data URI is an identifier for the data that has a single Data Policy object and a single set of authorizations corresponding to the data. It is up to the user application to decide what data should be mapped to a single data URI. Typically, in a SQL databases, data URI represents a column in a database.


  • Data URI must not change if a data container is renamed or moved.
  • It is advised to choose URIs with a random component. For an example, see SqlColumnUri.CreatePolicyNamespace method in C# SDK.

Policy Administration

Set of steps performed by TSPA. The steps include creating and deleting Data Policy objects and authorizations of principals to URIs that represent data.


A user or an application that uses Trust Services SDK (.NET library or PowerShell snap-in). Principal is identified by an X.509 certificate. Private key of the principal certificate is never uploaded to Trust Server.
Principals include TSPAs, Data Publishers and Data Consumers. In C# API, Principals are represented as objects of PrincipalCertificate class.

Principal Certificate

Wrapper class in C# API around .NET X509Certificate2 class.
PrincipalCertificate class is used to represent Principals.

Trust Services Administrator (TSA)

The Live ID user that manages the Trust Services account for the organization. The TSA performs the following actions on the Trust Services portal:
  • Sign-up for a Trust Services service.
  • Create and Manage Trust Servers associated with the account - The TSA creates a Trust Server and identifies a Trust Services Policy Administrator with an X.509 certificate (referred to as Principal Certificate) for the server. This certificate (containing only the public key) is uploaded by the TSA.

Trust Services Policy Administrator (TSPA)

Performs the following actions within a Trust Server using Trust Services SDK:  

  • Manage users: Identifies the publisher/subscribers associated with a Trust Server and uploads their certificates (containing only the public key).
  • Define & Manage Policies: Defines policies for data entities, identifying the data entity (URI) as sensitive (protected with encryption) or non-sensitive (left as plaintext). In Trust Services, a data entity is identified by a uniform resource identifier (URI). 
  • Define & Manage the Data Authorization: Authorizes users to access (decrypt) the sensitive data entity. 
  • TSPA certificate rolling: Uploads a new TSPA certificate to designate a new TSPA.
The TSPA performs actions referred to as Policy Administration.


See Trust Services Administrator


See Trust Services Policy Administrator