Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Azure Information Protection and eDiscovery Processes

Tom_Moser's avatar
Tom_Moser
Icon for Microsoft rankMicrosoft
Oct 11, 2018

Summary

A common question from Azure Information Protection administrators revolves around how they can decrypt protected messages and documents as part of eDiscovery processes. The purpose of this article is to describe common, supported approaches to performing eDiscovery across mailboxes and PST files.

 

Discovery First Approach

No matter what service or software your organization uses for eDiscovery, it's important to perform a first-pass discovery on the mailbox or PST file. In general, that pattern looks like:

  • Export mailbox to PST file (not necessary with Office 365 eDiscovery).
  • Use eDiscovery tool to perform discovery on contents.
  • Generate PST of in-scope items.
  • Use decryption tool to provide decrypted output of PST.
  • Complete import by adding decrypted output to eDiscovery tool.

Ideally, the eDiscovery process occurs prior to export, but in many organizations that's not the case.

 

Note: Office 365 Security and Compliance Center eDiscovery performs discovery prior to export. See below for additional details.

 

Office 365 eDiscovery

eDiscovery in Office 365 Security and Compliance Center is capable of searching for encrypted items prior to export. This has a few benefits. First, the output PST file, while still requiring decryption, will be much smaller than the raw mailbox dump. Mailboxes where eDiscovery is performed as the first step will see their size decreased by up to 96%. Office 365 Security and Compliance Center will be able to reason over protected content stored in Exchange online and export all discovered items, included the encrypted messages, to a PST file. Optionally, it can decrypt the encrypted mail on export. It should be noted that these decrypted mail items will be stored as individual files rather than bundled as a PST and today cannot decrypt protected attachments.

 

Office 365 eDiscovery can generate three types of PST output:

 

  1. Export only indexed items
  2. Export indexed and partially indexed items
  3. Export only partially indexed items

Messages and attachments protected with Azure Information Protection, as long as they originated in the tenant where eDiscovery is performed, will be indexed and included with the indexed export. Items that couldn't be decrypted due to originating from an external tenant will be included in the partially indexed output. Once the export of choice is complete, the PST can be processed by the decryption cmdlet, which will result in a PST that contains no encrypted content.

 

Third-Party eDiscovery

An alternative to the process above involves exporting the entire mailbox to a PST file, then running eDiscovery processes against that PST file. The common pitfall that causes delays in the discovery process is that administrators will attempt to decrypt the contents of the entire PST prior to performing eDiscovery. The Azure Information Protection PowerShell module supports PSTs up to 5GB in size. For this reason, it's important to trim down the data set prior to processing.

 

Rather than decrypting massive PST files that may take many hours, or days, to decrypt, when in reality less than 10% of the contents were encrypted, the following process is recommended:

 

  1. Export PST from Exchange Online or Exchange Server, or from workstation where user had stored mail.
  2. Import PST in to preferred third-party eDiscovery tool.
  3. eDiscovery tool will likely error on all encrypted contents. Generate a PST of all encrypted items.
  4. Use PowerShell module to decrypt this smaller PST file that contains all encrypted items.
  5. Import 2nd output PST in to discovery tool.

While this results in extra round trips, it greatly reduces the time to resolution as only a single full-pass is required by the eDiscovery software rather than a full pass by the decryption cmdlet, then another pass by the eDiscovery tool.

 

Third-Party Integration

If the above options aren't ideal for your organization, the best path forward will be to ask your eDiscovery vendor or partner to integrate the Microsoft Information Protection SDK into their application or service. The MIP SDK will allow them to decrypt the messages and documents as they're found, and to include the result in their index and discovery output. This does require that the organization has an account in your tenant with sufficient privileges, most likely super user.

 

Conclusion

Trimming down the set of data that must be decrypted by first or third party tools prior to performing decryption reduces the time and complexity required to deliver eDiscovery results to interested parties. The steps outlined above are the common approaches we see customers taking today.

 

Additional Information

Visit Office 365 meets evolving eDiscovery challenges in a cloud-first world to read more on how Microsoft legal handles eDiscovery.

THR1040 - Intelligent tenant search capability in Microsoft 365: Reduce time, risk and costs for legal eDiscovery and beyond

BRK3224 - Microsoft 365 Search Solutions: Legal eDiscovery and beyond

 

 

Leave a comment with any thoughts or feedback! We'd love to get more information to learn about how your organization is tackling this issue today.

 

-Tom Moser, Sr. Program Manager, Azure Information Protection

Updated May 11, 2021
Version 8.0
  • Laura Curran's avatar
    Laura Curran
    Copper Contributor

    Following up on David Broussard question - Are we able to discover documents that are AIP encrypted within OneDrive or SharePoint using the eDiscovery search? Specifically, when using keyword searches for the contents of the document? Additionally, we also have the same questions as Mike Oliveira.

    Thanks!

  • My experience with this is a bit different. Yes, eDiscovery can find, decrypt, and export RMS encrypted files...but only if you found them via a metadata search. If the document is encrypted and you look for content or keywords that are only in the document it doesn't appear to find that document.

     

    Example: I created a document with a single word in it "whataboutism" and called it document.docx. Waited for a crawl and then found it and was able to eDiscover it as well. Then I encrypted it via AIP and waited for a crawl. I could not find the document in search or eDiscovery.  I could find it if I searched for the document name, but not by the word in the document. 

  • Hi David Broussard

     

    In your test, are you using SharePoint or OneDrive? I suppose that this is a point of clarification I should make. I was referring specifically to email discovery, which, in my testing, does discover protected attachments. 

     

     

     

     

  • Yes, this was a document stored in OneDrive. I haven't specifically tested SharePoint but I suspect it would work the same way. 

  • Mike Oliveira's avatar
    Mike Oliveira
    Copper Contributor

    Thank you for the article, it helped us in our implementation understand this content was discoverable and retrievable.  Do you know if there are any plans to allow general searching within the content of a SharePoint Online/OneDrive for Business document if you are a permitted member to view?  We have tested general searching of the encrypted content and it does not find it within SharePoint's search engine for permitted members.  In addition any plans to allow it to display in the Online versions of Office (Word, Excel, etc...) since the user is authenticated into those programs?

  • Curious if you or anyone on this thread can answer this: In Azure Information Protection, if you use labels with protection (encryption) you can only search for filenames and metadata in SP. I am wondering what is the specific metadata in SP that we can search on?

  • Laura Curran in the tests that I ran you can find an AIP encrypted document if you know the file name or another metadata field.  As an example, I encrypted a document that contained a specific word and could not find it anywhere (Search, Delve, eDiscovery). However, if I searched for the filename I was able to find it and export it which removed the encryption.

  • mishakoga's avatar
    mishakoga
    Copper Contributor

    Hello @TomMoser, great content, I have specific question: https://stackoverflow.com/questions/55732310/azure-information-protection-how-to-decrypt-emls-coming-from-ews-api

    For visibility I am pasting content here as well:

     

    Given:

    --We use EWS API to download email messages from Office 365 (Exchange Online)

    --When emails are encrypted using AIP, body comes in encrypted

    --Admin user is super-user - this user's creds are used to make requests against EWS

     

    Ask:

    --In order to decrypt, it seems that we need to use https://docs.microsoft.com/en-us/information-protection/develop/concept-handler-protection-cpp. Is this the correct API to use? enter image description here

    --If so, above API is in C++. Is there anything available in C#? --Simple samples of how to decrypt a message would be appreciated?

    --Final question, is there a way to avoid decryption all together by setting some higher-level permission on the user that we use for EWS?