Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Exiting Office 365 with Your Encrypted Messages and Documents

Creating a Cloud Exit Plan for Encryption

Microsoft engineering teams publish all sorts of useful tips. The only problem is that it can be hard to find the gems in the flood of information in announcements, marketing bumpf, and blogs that any self-respecting product organization generates.

Which brings me to the post titled “How to prepare an Azure Information Protection “Cloud Exit” plan” where the Azure Information Protection team lay out the steps needed to move encrypted information out of the cloud to an on-premises location.

Could You Exit Office 365?

You might think that you will never exit the cloud. And indeed, it is Microsoft’s sincere wish that you should never even have such a thought because they’d like their tenants to continue paying the billions of dollars of monthly subscriptions that make Microsoft’s cloud properties so valuable.

It’s hard to consider making a cloud exit. Where would you go? The two obvious destinations are another cloud service or back on-premises, but both choices pose difficulties, as I discuss in a post about what people could do if an Office 365 disaster happened.

But if it’s difficult to contemplate moving unencrypted data from an Office 365 tenant to somewhere else, it’s even harder if you factor in encrypted data. Today, the amount of encrypted content (message, documents, and other data) inside Office 365 tenants is minuscule, so the difficulty only arises for tenants who embrace rights management and encryption for a good reason. In most cases, these organizations have used on-premises Active Directory Rights Management services and are accustomed to the intricacies of encryption.

The Complexity Created by Easier Encryption

Tomorrow, the situation might well be different. Microsoft has made it much easier for Office 365 tenants to encrypt content with features like the Encrypt-Only template that’s available to all Office 365 enterprise and business customers as well as Outlook.com premium users.

More importantly, sensitivity labels are now available. Office 365 E3 and E5 tenants have licenses to protect (encrypt) messages and documents with sensitivity labels. This requires a preview version of the Azure Information Protection client today, but the Office desktop apps (for Windows) are scheduled to have native support for sensitivity labels in 2H 2019. When all the Office apps (desktop, mobile, and online) support sensitivity labels, there’ll be no good reason why Office 365 users shouldn’t protect their most important information with encryption.

By 2022, I think between 2% and 4% of all Office 365 content will be protected. This figure sounds low, but the protected content will be the most important content. Over time, the percentage of protected content will increase steadily. You can also bet that Microsoft will enable support for sensitivity labels elsewhere in the Office 365 spectrum, like Teams channels or even individual messages.

The Upside and Downside for Tenants

Tenants seem to get a big upside from the change. Microsoft is doing the heavy lifting to make encryption easy and there’s lots of goodness in that. But it also means that tenant data will be even harder to move off Office 365.

Impact on ISVs

The impact will be larger on ISVs. Companies who create autosignature products already see the signs because their code can’t apply signatures to messages encrypted by Outlook. But any ISV that relies on the ability to process Office 365 data will be affected if they can’t deal with encrypted content. Take a backup service that offers tenants the ability to recreate a user mailbox should a major outage occur. If the restore operation doesn’t decrypt any encrypted messages when it reconstructs the mailbox, the user won’t be able to access those messages unless they can authenticate against Azure Active Directory.

Preparing for a Cloud Exit

This is a central point made in Microsoft’s post. They advise that anyone who thinks that they might need to exit the cloud should create a new Active Directory Rights Management on-premises cluster (perhaps on a virtual machine) and populate it with the Microsoft managed key generated automatically for Office 365 tenants for rights management. Super users can then decrypt the content copied over from the cloud.

Setting up a new rights management cluster and transferring keys is not something you can do on the fly when an Office 365 outage happens, or after you have exited the cloud. Instead, it’s a carefully planned exercise to be done upfront so that the outcome can be tested and verified to ensure that everything works if the need arises. Depending on how many messages and files need to be processed, decrypting content and returning that content to users could take considerable effort and time. In short, you can extract and decrypt your Office 365 content, but only with good preparation and much toil.

Encryption Creates Opportunities and Problems

Encryption has always brought complexity in terms of key management. Microsoft has done a lot to take complexity out of the equation, but that doesn’t mean that organizations can simply deploy without thought. As we enter a world where encrypted content is more common, we all need to figure out what it means for operations, products, and long-term strategy.

by Tony Redmond
Apr 18, 2019

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023
Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.