Microsoft Purview in the Real World (August 11, 2023) - Encrypted Emails and Purview eDiscovery
Published Aug 11 2023 03:53 PM 2,941 Views
Microsoft

James_Havens_1-1691794039632.png

 

 

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

Microsoft customers who want to better understand Microsoft Purview.

 

 

Document Scope

The purpose of this document (and series) is to provide insights into various user cases, announcements, customer driven questions, etc.  It is not meant as the final answer to all Purview related questions.

 

 

Topics for this blog entry

Here are the topics covered in this issue of the blog:

  • Topic – Purview related eDiscovery and Office Message Encrypted (OME) emails
  • Use Case #1 – legal or HR review of Office Message Encrypted (OME) emails within Purview eDiscovery
  • Use Case #2 – legal or HR review of OME emails that have been exported from Purview to a PST and/or Exchange Mailbox and then opened within an Outlook thick client.

 

Out-of-Scope

This blog series and entry is only meant to provide information, but for your specific use cases or needs, it is recommended that you contact your Microsoft Account Team to find other possible solutions to your needs.

 

Not done – OME and eDiscovery

 

 

1 – Roles Based Access Control (RBAC) for Purview

 

If you want to leverage Purview RBAC roles to access and view emails/files, you will need to open the Purview eDiscovery console.  The Purview RBAC roles are not “usable” within Outlook thick or thin clients.

Here is a link to the RBAC information and a screenshot related specifical the Review role within that RBAC:

Assign eDiscovery permissions in the Microsoft Purview compliance portal | Microsoft Learn

 

 

James_Havens_0-1691794131776.png

 

2 - Accessing emails that have been encrypted via OME inside of Purview eDiscovery

 

  • Let us first understand how Purview deals with encrypting/decrypting data, as it relates to eDiscovery.  The following chart from Microsoft documentation should provide more light on what is decrypted in the Standard and Premium versions of Purview.

 

Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn

 

James_Havens_1-1691794176828.png

 

  • The following is the link and screenshot to the Microsoft documentation that tells you what Purview eDiscovery tasks can be run on encrypted data.

 

Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn

 

James_Havens_2-1691794191848.png

 

 

  • In conclusion, if you have the proper version of Purview eDiscovery (ie. Premium) and the proper RBAC role, you can view emails that have been encrypted using OME.

 

3 - Accessing emails that have been encrypted via OME and then exported to a PST and/or Exchange mailbox

 

 

Before we start this section, please note that review of eDiscovery related data from within Outlook is not a Microsoft best practice.  We recommend you perform your reviews from within Purview eDiscovery or another eDiscovery solution designed for legal and HR investigations.

 

With that being stated, let us look at what options are available if you do decided to try and review encrypted (OME) that has been exported from Purview eDiscovery.

 

  • First, let us return to the supported decryption charted from above, we can see what versions of Purview support decryption of data when exporting to PST files.

 

Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn

 

James_Havens_2-1691794272908.png

 

 

  • Next, let us again return to one of the charts above, notice that you can export encrypted data (to email/PST).  This applies to the export of encrypted data but DOES NOT decrypt data as part of its export process.

 

 

Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn

 

James_Havens_1-1691794261702.png

 

 

  • So, this begs the following:
    • Question - if my data is exported and still encrypted with OME, how can I read OME emails from the exported PST file?

 

  • Answer - The official answer is you need additional rights tied back to RMS, in particular the RMS Decrypt role.  Please note the information in the following link and screenshot for specifics.

 

 

Decryption in Microsoft Purview eDiscovery tools | Microsoft Learn

 

 

James_Havens_0-1691794248122.png

 

 

From the link and screenshot above, there are 2 items listed:

  • You need to assign the RMS Decrypt role to your user performing the review.  This is separate from the Reviewer role specific to Purview eDiscovery.
  • It is recommended that you run the ScanPST.exe tool on the exported PST.  This tool does not decrypt data only verifies and fixes PST files that might have become corrupted.

 

Important Note

 

For a deeper understanding of what rights are needed and work flow you should follow (if you are pursuing this email review process) you should contact your Microsoft Account Manager or certified Microsoft Partner.

 

Appendix and Links

 

 

 

 

 

Co-Authors
Version history
Last update:
‎Aug 11 2023 03:53 PM
Updated by: