Microsoft Insists on Office 365 E5 for Automatic Decryption of Protected Documents in eDiscovery Searches

Feature Should be in Core eDiscovery

Sources inside Microsoft tell me that approximately 10% of eligible Office 365 tenants use sensitivity labels to protect information with encryption. Reflecting Microsoft’s recent efforts to increase coverage of sensitivity labels, notably through native support in the Office desktop apps and much better support in SharePoint Online, the number of tenants using sensitivity labels for both information protection and container management is steadily growing.

To apply sensitivity labels to messages and documents, users need at least the Office 365 E3 plan; to auto-apply sensitivity labels, they need Office 365 E5. Users with lower plans can read protected files, but they can’t apply labels. We know that Microsoft has sold just under 300 million Office 365 seats. Assuming that the enterprise section is roughly two-thirds of this number, maybe 20 million people are using sensitivity labels, which adds up to a lot of protection.

Protected Content and eDiscovery

All of which brings me to Microsoft’s documentation for how to handle protected content exported for eDiscovery cases. We’re talking about email and comments protected using sensitivity labels (Microsoft Information Protection) or the older Azure Rights Management technologies. In a nutshell, the situation is this:

• After you enable sensitivity labels for Office files in SharePoint Online, Microsoft Search can index the encrypted content and make it available for eDiscovery. Encrypted email is always indexed and discoverable.
• When you use a Core eDiscovery case or content search to find protected content, the export feature decrypts protected messages and attachments but does not decrypt protected files stored in SharePoint Online or OneDrive for Business.
• To get automatic decryption of exported files (some exceptions exist, like sensitivity labels with user-defined permissions), you need the export capability built into Advanced eDiscovery. And to use Advanced eDiscovery, you need Office 365 E5 licenses for every account covered by the eDiscovery case.

It’s possible to decrypt protected content before export by removing sensitivity labels from files using the Microsoft Graph. Another solution is to assign rights management super-user permission to an account and use the account to run the PowerShell Set-AIPFileLabel cmdlet to remove labels from files. Although these solutions are available to Office 365 E3 tenants, the process of extracting and decrypting content is intensely manual and unsuitable for dealing with large numbers of files. It’s so much easier when Office 365 does all the heavy lifting to find, decrypt, and export content.

Decryption Should be a Core Capability

If Office 365 E3 users can apply sensitivity labels to protect content, their tenant administrators should be able to search for and decrypt files retrieved by core eDiscovery. Although I can understand why Microsoft wants to emphasize the benefits of Advanced eDiscovery by stuffing as much functionality as it can into it, there are enough features (like the ability to display complete Teams conversation threads) in Advanced eDiscovery already. And if Exchange Online is happy to decrypt protected messages and attachments for Core eDiscovery, there’s no good reason for Advanced eDiscovery not to do the same for files found in SharePoint Online and OneDrive for Business.