Feature Should be in Core eDiscovery

Sources inside Microsoft tell me that approximately 10% of eligible Office 365 tenants use sensitivity labels to protect information with encryption. Reflecting Microsoft’s recent efforts to increase coverage of sensitivity labels, notably through native support in the Office desktop apps and much better support in SharePoint Online, the number of tenants using sensitivity labels for both information protection and container management is steadily growing.

To apply sensitivity labels to messages and documents, users need at least the Office 365 E3 plan; to auto-apply sensitivity labels, they need Office 365 E5. Users with lower plans can read protected files, but they can’t apply labels. We know that Microsoft has sold just under 300 million Office 365 seats. Assuming that the enterprise section is roughly two-thirds of this number, maybe 20 million people are using sensitivity labels, which adds up to a lot of protection.

Protected Content and eDiscovery

All of which brings me to Microsoft’s documentation for how to handle protected content exported for eDiscovery cases. We’re talking about email and comments protected using sensitivity labels (Microsoft Information Protection) or the older Azure Rights Management technologies. In a nutshell, the situation is this:

  • After you enable sensitivity labels for Office files in SharePoint Online, Microsoft Search can index the encrypted content and make it available for eDiscovery. Encrypted email is always indexed and discoverable.
  • When you use a Core eDiscovery case or content search to find protected content, the export feature decrypts protected messages and attachments but does not decrypt protected files stored in SharePoint Online or OneDrive for Business.
  • To get automatic decryption of exported files (some exceptions exist, like sensitivity labels with user-defined permissions), you need the export capability built into Advanced eDiscovery. And to use Advanced eDiscovery, you need Office 365 E5 licenses for every account covered by the eDiscovery case.

It’s possible to decrypt protected content before export by removing sensitivity labels from files using the Microsoft Graph. Another solution is to assign rights management super-user permission to an account and use the account to run the PowerShell Set-AIPFileLabel cmdlet to remove labels from files. Although these solutions are available to Office 365 E3 tenants, the process of extracting and decrypting content is intensely manual and unsuitable for dealing with large numbers of files. It’s so much easier when Office 365 does all the heavy lifting to find, decrypt, and export content.

Decryption Should be a Core Capability

If Office 365 E3 users can apply sensitivity labels to protect content, their tenant administrators should be able to search for and decrypt files retrieved by core eDiscovery. Although I can understand why Microsoft wants to emphasize the benefits of Advanced eDiscovery by stuffing as much functionality as it can into it, there are enough features (like the ability to display complete Teams conversation threads) in Advanced eDiscovery already. And if Exchange Online is happy to decrypt protected messages and attachments for Core eDiscovery, there’s no good reason for Advanced eDiscovery not to do the same for files found in SharePoint Online and OneDrive for Business.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.


  1. Ben Cavolick

    What about a leaver who has encrypted their files? how would we give their replacement access to these files?

    1. Avatar photo
      Tony Redmond

      A super-user can decrypt protected files. But more importantly, files should not be protected with labels that allow access to just one user. It’s a good idea to have files protected with labels that allow other people in the organization to have co-author rights over the content. Except for very sensitive material, of course.

      1. Thibault Joubert

        Hello Tony, is the “super user” feature still active? It is not very clear in Microsoft documentation… and I got errors when I set up the super users or the super user group.
        Thanks in advance

        1. Avatar photo
          Tony Redmond

          Looks good to me:

          PS C:\temp> import-module aipservice
          PS C:\temp> connect-aipservice
          A connection to the Azure Information Protection service was opened.
          PS C:\temp> Get-AipServiceSuperUser

  2. Chabango

    Trying to confirm, is using an E3 license and an email is encryoted using a Sensitivity label, will core eDiscovery be able to read that email?

  3. Christophe Humbert

    Hello Tony

    I assume Decryption is only possible when using MMK and not CMK or DKE

Leave a Reply