Feature Should be in Core eDiscovery
Sources inside Microsoft tell me that approximately 10% of eligible Office 365 tenants use sensitivity labels to protect information with encryption. Reflecting Microsoft’s recent efforts to increase coverage of sensitivity labels, notably through native support in the Office desktop apps and much better support in SharePoint Online, the number of tenants using sensitivity labels for both information protection and container management is steadily growing.
To apply sensitivity labels to messages and documents, users need at least the Office 365 E3 plan; to auto-apply sensitivity labels, they need Office 365 E5. Users with lower plans can read protected files, but they can’t apply labels. We know that Microsoft has sold just under 300 million Office 365 seats. Assuming that the enterprise section is roughly two-thirds of this number, maybe 20 million people are using sensitivity labels, which adds up to a lot of protection.
Protected Content and eDiscovery
All of which brings me to Microsoft’s documentation for how to handle protected content exported for eDiscovery cases. We’re talking about email and comments protected using sensitivity labels (Microsoft Information Protection) or the older Azure Rights Management technologies. In a nutshell, the situation is this:
- After you enable sensitivity labels for Office files in SharePoint Online, Microsoft Search can index the encrypted content and make it available for eDiscovery. Encrypted email is always indexed and discoverable.
- When you use a Core eDiscovery case or content search to find protected content, the export feature decrypts protected messages and attachments but does not decrypt protected files stored in SharePoint Online or OneDrive for Business.
- To get automatic decryption of exported files (some exceptions exist, like sensitivity labels with user-defined permissions), you need the export capability built into Advanced eDiscovery. And to use Advanced eDiscovery, you need Office 365 E5 licenses for every account covered by the eDiscovery case.
It’s possible to decrypt protected content before export by removing sensitivity labels from files using the Microsoft Graph. Another solution is to assign rights management super-user permission to an account and use the account to run the PowerShell Set-AIPFileLabel cmdlet to remove labels from files. Although these solutions are available to Office 365 E3 tenants, the process of extracting and decrypting content is intensely manual and unsuitable for dealing with large numbers of files. It’s so much easier when Office 365 does all the heavy lifting to find, decrypt, and export content.
Decryption Should be a Core Capability
If Office 365 E3 users can apply sensitivity labels to protect content, their tenant administrators should be able to search for and decrypt files retrieved by core eDiscovery. Although I can understand why Microsoft wants to emphasize the benefits of Advanced eDiscovery by stuffing as much functionality as it can into it, there are enough features (like the ability to display complete Teams conversation threads) in Advanced eDiscovery already. And if Exchange Online is happy to decrypt protected messages and attachments for Core eDiscovery, there’s no good reason for Advanced eDiscovery not to do the same for files found in SharePoint Online and OneDrive for Business.
What about a leaver who has encrypted their files? how would we give their replacement access to these files?
A super-user can decrypt protected files. But more importantly, files should not be protected with labels that allow access to just one user. It’s a good idea to have files protected with labels that allow other people in the organization to have co-author rights over the content. Except for very sensitive material, of course.
Hello Tony, is the “super user” feature still active? It is not very clear in Microsoft documentation… and I got errors when I set up the super users or the super user group.
Thanks in advance
Looks good to me:
PS C:\temp> import-module aipservice
PS C:\temp> connect-aipservice
A connection to the Azure Information Protection service was opened.
PS C:\temp> Get-AipServiceSuperUser
Trying to confirm, is using an E3 license and an email is encryoted using a Sensitivity label, will core eDiscovery be able to read that email?
I assume Decryption is only possible when using MMK and not CMK or DKE
I believe that’s accurate.