Well yeah, by default Microsoft holds your encryption keys. Why wouldn’t they be able to unencrypt it? Implement Customer Key if you want to hold your own encryption keys.