Microsoft 365 Advanced eDiscovery Decrypts Exported Files

Now Rolling Out

Among the Message Center notifications posted before Microsoft closed for the holiday break is MC230569, which confirms that Advanced eDiscovery can decrypt content collected from SharePoint Online and OneDrive for Business. The update is Microsoft 365 roadmap item 68705 and will roll out to tenants in January 2021. It’s already in my tenant.

Sensitivity Labels on a Roll

You might ask “what’s important about this change?” and wonder if eDiscovery needs to export decrypted content. Well, thanks to the engineering effort Microsoft has poured into building out the ecosystem around sensitivity labels over the last year or so, a growing proportion of Office documents stored in SharePoint and OneDrive is protected (encrypted).

Recent developments include adding native support in the Microsoft 365 (desktop) apps for enterprise and container management for Groups, Teams, and Sites – including the recent addition of control over external sharing. Even the curious demand for Azure AD premium licenses to manage containers with labels doesn’t take much of the sheen away from the work done to develop sensitivity labels into an essential tool for protecting confidential data.

The downside of encryption is encryption. In other words, many administrative tools are built to deal with unencrypted content and cannot handle encrypted items. For instance, until recently, it wasn’t possible for an administrator to remove a label from a document stored in SharePoint Online or OneDrive for Business. That gap is now closed, albeit only in PowerShell.

Decrypted Search Results

It’s always been possible to find encrypted items with content searches. However, although Exchange Online indexed protected email to make these items available for eDiscovery, SharePoint Online only indexed metadata (like titles) for protected documents. Searches could still find protected documents, but only through their metadata.

The situation changed in May 2020 with the introduction of optional support for sensitivity labels in SharePoint Online. When enabled, SharePoint decrypts protected Office documents in its store to allow indexing of document content, meaning that the content is available for searching. When the protected documents are downloaded, encryption is reapplied to make sure that protection is persistent.

Searches can find protected documents in SharePoint Online and OneDrive for Business, but a longstanding problem exists when the need arises to provide copies of documents to external investigations and advisors (like lawyers). Often advisors help organizations to understand if breaches of company procedures or regulations have happened, and they need to see the full content of relevant documents. To create decrypted copies, the encrypted files must be exported and then decrypted manually by an account enabled as a Microsoft Information Protection super-user. Once enabled, the super-user account can run the Set-AipFileLabel cmdlet to remove labels from files.

Set-AIPFileLabel C:\Exports\ProtectedSPODocument.docx -RemoveLabel -JustificationMessage "Removed protection to enable external examination"

FileName                             Status Comment
--------                             ------ ------------
C:\Exports\ProtectedSPODocument.docx Success

Exporting and assembling protected files for decryption is not a fast task. Removing labels from the files isn’t fast either. All in all, it’s a royal pain.

Easing the Pain of Encryption

Things progressed in November 2020 when Microsoft updated Core eDiscovery to decrypt protected attachments for Exchange email. This was a small step forward, but it still left the issue of how to deal with protected Office documents exported by eDiscovery from SharePoint Online and OneDrive for Business.

Core eDiscovery is included in Office 365 E3; Advanced eDiscovery is available when you have Office 365 E5. This is an important differentiation because Microsoft has left the gap in Core eDiscovery while closing it in Advanced eDiscovery.

Quite why this should be the case is unknown because the ability to decrypt protected Exchange messages during export has always existed in Core eDiscovery (now with attachments). There’s no good logic in limiting decryption of documents to Advanced eDiscovery. I guess it’s yet another example of Microsoft’s sometimes bizarre decisions around licensing data governance features, like the requirement for Office 365 E5 for DLP policies for Teams while E3 is enough to process DLP policies against Exchange and SharePoint.

In any case, Advanced eDiscovery now deals quite happily with encrypted SharePoint and OneDrive documents. As the title implies, Advanced eDiscovery includes more bells and whistles than the Core version. You create cases, define custodians (people of interest to an eDiscovery case), include additional data sources for searches, run searches to establish information to consider (review sets), before finding items which might need external review. Because they’re designed to deal with millions of documents, a lot more processing goes into Advanced eDiscovery cases. Apart from making the eDiscovery process more complicated to navigate, the extra complexity seems to slow everything down too.

Eventually, after searching for and identifying documents of interest, you can use the Action menu to create an export job to copy selected items from the source locations (Figure 1).

Image # Expand
Advanced eDiscovery Review Set
Figure 1: Working with documents in a review set (image credit: Tony Redmond)

The export job creates a ZIP file containing the results. Any protected Office documents extracted from SharePoint Online or OneDrive for Business are decrypted before they are included in the ZIP, meaning that whoever can access the ZIP file can open the documents.

Limitations and Exclusions

Advanced eDiscovery handles protected Office documents well but not every kind of protected content which might end up in SharePoint. Advanced eDiscovery can export Office documents protected by Office 365 Message Encryption (OME) or sensitivity labels (aka “Microsoft encryption technology”). Other content stored in SharePoint Online, like PDFs protected by sensitivity labels and items protected by S/MIME or another encryption service can be found by eDiscovery searches (thanks to their metadata) but remain encrypted when exported.

Decrypting Office documents stored in SharePoint and OneDrive during Advanced eDiscovery exports is a big step forward. The next step is for Microsoft to make the same feature available in Core eDiscovery. And then move on to deal with non-Office content. It just makes sense.

Related Article: