- Home
- Security, Compliance, and Identity
- Security, Compliance, and Identity Blog
- Encryption algorithm changes in Microsoft Purview Information Protection
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Data encryption with the Azure Rights Management service is one of the most established data protection options available with Microsoft Purview Information Protection. Its foundation is a combination of cryptography and identity that enables us to move away from password-protected files to a more agile and modern access control model. This technology has been available in some form since Office 2010, available as a broad-based technology used by millions of users and a simple premise – a document protected by one user can be opened by another user having the correct access control list (ACL) permissions. Microsoft continues to invest in low friction decryption experiences while maintaining compatibility, to the extent possible, across Office versions, file formats, identity stack updates, and more.
This blog post focuses on the evolution of the cryptographic methods that underpin Azure Rights Management. Over the years we have worked to continuously modernize the service and participating apps, but the big challenge to the end-to-end experience is backward compatibility. As a guiding principle, our modernization efforts should not break access to millions of documents and emails already encrypted. However, with the retirement of older software like Office 2010, we are poised to make a leap forward in the cryptographic defaults used to protect data and improve the security posture for our customers.
Starting in August 2023, AES256 in cipher block chaining mode (AES256-CBC) will be the default encryption mode across all applications using Microsoft Purview Information Protection. Organizations with Azure Rights Management service plans will also receive a Message Center post with this announcement and instructions to help them prepare for this change.
To confidently change the default encryption mode, we need broad support for decryption present in apps and customer environments. We have been building towards this moment that:
- Supported Office versions can decrypt AES256-CBC Office files and emails.
- Supported non-Office applications can decrypt AES256-CBC Office files and emails.
This broad-based application support for decrypting AES256-CBC is important for switching defaults.
Let’s understand the mechanics of the change itself, and how it will affect your organization.
Mechanics of the change
Starting in late August 2023, we will begin to roll out changes to the default encryption algorithm, moving to AES256-CBC encryption for files and emails. Files with protection added or updated after this change will use AES256-CBC. These files can be decrypted by Office 2013 and later. This change to the default encryption algorithm will roll out to:
- Microsoft 365 Apps on Current Channel and Monthly-Enterprise Channel
- SharePoint Online
- Exchange Online and Office 365 Message Encryption
- Azure Information Protection version 2.17, including Scanner, PowerShell Module, and Classify and Protect. AIP 2.16 supports consumption of AES256-CBC content.
When the change is complete, each of these applications or services will start generating encrypted files and emails using AES256-CBC.
How this will affect your organization
There are four groups affected by this change:
- Organizations that use Microsoft 365 Apps with Exchange Server, or Exchange Server in Hybrid mode and with the Azure Rights Management Connector Service or Active Directory Rights Management Server connected to Exchange Server.
- Organizations with custom line-of-business (LOB) or third-party applications that decrypt protected Office files.
- Organizations with Office Perpetual versions like Office 2013, Office 2016, Office 2019, and Office 2021/LTSC.
- Organizations deploying the Azure Information Protection unified labeling client.
Outside of these groups, organizations do not need to take explicit action. Organizations using Microsoft 365 Apps with Microsoft 365 Services will transition over to encryption and decryption of Office documents in AES256-CBC mode with no admin intervention to implement this update.
How to prepare for this change
Group One: Organizations that use Microsoft 365 Apps with Exchange Server, or Exchange Server in Hybrid mode
Organizations using Microsoft 365 Apps with Exchange Server must take action so that Exchange Server can continue to decrypt content protected by Purview sensitivity labels or Active Directory Rights Management Service.
Today, Exchange Server doesn’t support AES256-CBC. The Exchange Server team will release a security update on August 8th, 2023. This update will enable support for decrypting AES256-CBC protected mail and documents in Exchange Server. Organizations using Microsoft 365 Apps with Exchange Server, either standalone or in a hybrid configuration, will be required to install this update.
In addition to the software update, the Azure RMS Connector Service configuration must be updated on the Exchange Servers. The GenConnectorConfig.ps1 script has been updated to generate registry keys introduced for the Exchange Server update. Review Configure servers for the Rights Management connector for details on the configuration script, including how to run it and how to deploy the settings.
Organizations using Exchange Server with the Azure Rights Management Service Connector will be automatically opted out of the AES256-CBC mode update in Exchange Online and SharePoint Online until at least January 2024. Once you’ve completed the required updates for Exchange Server and the Connector, open a support case and request the setting to be updated to AES256-CBC.
Some organizations have longer lead times for patching. If your organization can’t apply the update or connector configuration changes across Exchange Server infrastructure by the end of August 2023, you must opt out of the AES256-CBC change on Microsoft 365 Applications. Failing to opt out of the AES256-CBC change or to install the Exchange Server patch will result in Exchange Server failing to decrypt protected emails for delivery to mobile devices, Outlook for Mac, and both Exchange Server eDiscovery and journaling. This article describes how to force AES128-ECB for these clients using registry settings and group policy: https://aka.ms/Purview/CBCDetails.
After your Exchange Server infrastructure is updated, you can remove or modify the setting to switch to AES256-CBC.
If your organization is not using the Azure Rights Management Service Connector or Active Directory Rights Management Server you do not need to opt out or open a support case to ask to opt out.
To validate, run Get-IrmConfiguration | Format-List InternalLicensingEnabled. If this value is false you do not need to opt out as part of this group. Your Exchange Server isn't configured to use Azure RMS or AD RMS.
Action Summary:
- If unable to update immediately, disable AES256-CBC mode in Microsoft 365 Apps.
- Install Exchange Server update and deploy the latest Azure RMS Connector configuration settings.
- Once Exchange Server is patched and RMS Connector configuration settings updated, enable AES256-CBC in Microsoft 365 Apps (if disabled).
- Notify Microsoft via support case that Exchange Online and SharePoint Online can be moved to AES256-CBC publishing.
Group Two: Organizations with custom line-of-business or third-party applications
Any custom line-of-business (LOB) application or a 3rd party application capable of reading labels from a protected Office file or decrypting a protected Office file must update to Microsoft Information Protection SDK 1.13. Microsoft has notified major third-party application vendors of this required update. Please work with your application vendors to ensure that they’ve updated to MIP SDK 1.13.
Details on the update for MIP SDK 1.13
Group Three: Organizations with Office Perpetual versions like Office 2013, Office 2016, Office 2019, and Office 2021/LTSC
Office 2013, 2016, 2019, and 2021 (Office Perpetual clients) do not create AES256-CBC encrypted documents or emails by default. This needs to be turned on explicitly by customer using Group Policy settings. For additional details, review https://aka.ms/Purview/CBCDetails.
Organizations using Exchange Server must update Exchange Server and the RMS Connector Service configuration before deploying this Group Policy setting.
Office Perpetual clients require no update to consume AES256-CBC protected documents or emails.
If your organization is not using the Azure Rights Management Service Connector or Active Directory Rights Management Server you do not need to opt out or open a support case to ask to opt out.
To validate, run Get-IrmConfiguration | Format-List InternalLicensingEnabled. If this value is false you do not need to opt out as part of this group. Your Exchange Server isn't configured to use Azure RMS or AD RMS.
Group Four: Organizations deploying the Azure Information Protection Viewer, PowerShell, or Scanner
The Azure Information Protection (AIP) unified labeling client has been updated to support consumption of AES256-CBC protected Office documents. The updated package will need to be rolled out to your organization to enable decryption, scanning, and re-labeling of AES256-CBC protected Office content in the following apps:
- AIP right-click Classify and Protect
- AIP PowerShell Module
- Microsoft Purview Information Protection Scanner
This change does not affect the AIP add-in.
Conclusion
Reviewing the actions discussed in this article will help transition your organization to AES256-CBC, offering better protection for documents and emails in your organization. We’ve worked to make that transition seamless for cloud-native organizations. For organizations with on-premises services, we’ve worked to make the update as seamless as possible, but action is required to prevent issues with the update, and to ensure compatibility with on-premises workloads.
Timelines for this update may shift based on discovered issues or other delays. For the latest information on timelines, review the Microsoft 365 roadmap.
Resources
- MIP SDK Change Log: Microsoft Information Protection (MIP) SDK version release history and support policy | Microsoft Le...
- Microsoft Learn: https://aka.ms/Purview/CBCDetails
- Exchange Docs: https://aka.ms/Purview/CBCExchangeServer
- Microsoft 365 Roadmap Item: https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=117576
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.