M365 Changelog: Microsoft Purview Information Protection moving to AES256-CBC mode for encryption of email and Office files

MC590144 – Microsoft Purview Information Protection will begin to use Advanced Encryption Standard (AES) with 256-bit key length in Cipher Block Chaining mode (AES256-CBC) by default for encryption of Office documents and emails. If your organization is part of any of the four groups listed in this post, you must take action to update or opt out of this change.

You can read about this on our Tech Community blog post and learn more in our documentation.

This message is associated with Microsoft 365 Roadmap ID 117576

When this will happen:

Microsoft will begin rolling out late August 2023 and expect to complete by late September 2023.

How this will affect your organization:

Today, Microsoft Purview Information Protection uses AES128 in electronic codebook mode (AES128-ECB) for protecting Office files and emails. Starting in late August 2023, Microsoft will begin to roll out changes to the default, moving to AES256-CBC for files and emails.

This change to the default encryption algorithm will roll out to:

  • Microsoft 365 Apps on Current Channel and Monthly-Enterprise Channel.
  • SharePoint Online
  • Exchange Online and Office 365 Message Encryption
  • Azure Information Protection Classify and Protect 2.17 and later
  • Azure Information Protection PowerShell Module 2.17 and later
  • Microsoft Purview Information Protection Scanner 2.17 and later

When complete, each of these services will generate encrypted files and emails using AES256-CBC. Consumption of AES256-CBC protected files and emails is fully supported across all supported Office clients, and AIP 2.16 or later. 

Any applications integrated with Microsoft Information Protection SDK 1.13 or later will support consumption of AES256-CBC protected content.

What you need to do to prepare:

The four impacted groups are organizations:

1. Using Microsoft 365 Apps with Exchange Server, or Exchange Server in Hybrid mode.

2. With custom line-of-business (LOB) or third-party applications capable of decrypting protected Office files.

3. Using Office Perpetual versions like Office 2019, Office 2019, and Office 2021/LTSC.

4. Using the Azure Information Protection Viewer, PowerShell, or Scanner.

Members of these groups must act prior to late August 2023. Failure to opt out of the AES256-CBC change or to install the Exchange Server patch will result in Exchange Server failing to decrypt protected emails for delivery to mobile devices, Outlook for Mac, and both Exchange Server eDiscovery and journaling. For full details, please review the Microsoft Tech Community Blog post: https://aka.ms/Purview/CBCBlog 

Organizations using Microsoft 365 Apps with Microsoft 365 Services will transition over to protection and consumption of Office documents in CBC mode with no admin intervention. 

Additional information

Blog

Join Petri Insider

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

Join the conversation