Re: “If there is unauthorised access ... we’ll let you know about this,”
"Everything should be encrypted in flight and at rest in a manner such that neither Microsoft nor it's US government TLA partners can get access to it, even if they wanted to."
See https://technet.microsoft.com/en-gb/library/dn440580.aspx
"For example, instead of Microsoft managing your tenant key (the default), to comply with your company policies, you might have to manage your own tenant key, which is also known as bring your own key (BYOK).
1. You generate your tenant key on your premises, in line with your IT policies.
2. You securely transfer the tenant key from a Hardware Security Module (HSM) in your possession to HSMs that are owned and managed by Microsoft. Throughout this process, your tenant key never leaves the hardware protection boundary.
3. When you transfer your tenant key to Microsoft, it stays protected by Thales HSMs. Microsoft has worked with Thales to ensure that your tenant key cannot be extracted from Microsoft’s HSMs.
As an additional protection measure, Azure RMS uses separate security worlds for its data centers in North America, EMEA (Europe, Middle East and Africa), and Asia. When you manage your own tenant key, it is tied to the security world of the region in which your RMS tenant is registered. For example, a tenant key from a European customer cannot be used in data centers in North America or Asia."
See also: https://www.thales-esecurity.com/msrms/cloud