Data encryption with the Azure Rights Management service is one of the most established data protection options available with Microsoft Purview Information Protection. Its foundation is a combination of cryptography and identity that enables us to move away from password-protected files to a more agile and modern access control model. This technology has been available in some form since Office 2010, available as a broad-based technology used by millions of users and a simple premise – a document protected by one user can be opened by another user having the correct access control list (ACL) permissions. Microsoft continues to invest in low friction decryption experiences while maintaining compatibility, to the extent possible, across Office versions, file formats, identity stack updates, and more.
This blog post focuses on the evolution of the cryptographic methods that underpin Azure Rights Management. Over the years we have worked to continuously modernize the service and participating apps, but the big challenge to the end-to-end experience is backward compatibility. As a guiding principle, our modernization efforts should not break access to millions of documents and emails already encrypted. However, with the retirement of older software like Office 2010, we are poised to make a leap forward in the cryptographic defaults used to protect data and improve the security posture for our customers.
Starting in August 2023, AES256 in cipher block chaining mode (AES256-CBC) will be the default encryption mode across all applications using Microsoft Purview Information Protection. Organizations with Azure Rights Management service plans will also receive a Message Center post with this announcement and instructions to help them prepare for this change.
To confidently change the default encryption mode, we need broad support for decryption present in apps and customer environments. We have been building towards this moment that:
This broad-based application support for decrypting AES256-CBC is important for switching defaults.
Let’s understand the mechanics of the change itself, and how it will affect your organization.
Starting in late August 2023, we will begin to roll out changes to the default encryption algorithm, moving to AES256-CBC encryption for files and emails. Files with protection added or updated after this change will use AES256-CBC. These files can be decrypted by Office 2013 and later. This change to the default encryption algorithm will roll out to:
When the change is complete, each of these applications or services will start generating encrypted files and emails using AES256-CBC.
There are four groups affected by this change:
Outside of these groups, organizations do not need to take explicit action. Organizations using Microsoft 365 Apps with Microsoft 365 Services will transition over to encryption and decryption of Office documents in AES256-CBC mode with no admin intervention to implement this update.
Organizations using Microsoft 365 Apps with Exchange Server must take action so that Exchange Server can continue to decrypt content protected by Purview sensitivity labels or Active Directory Rights Management Service.
Today, Exchange Server doesn’t support AES256-CBC. The Exchange Server team will release a security update on August 8th, 2023. This update will enable support for decrypting AES256-CBC protected mail and documents in Exchange Server. Organizations using Microsoft 365 Apps with Exchange Server, either standalone or in a hybrid configuration, will be required to install this update.
In addition to the software update, the Azure RMS Connector Service configuration must be updated on the Exchange Servers. The GenConnectorConfig.ps1 script has been updated to generate registry keys introduced for the Exchange Server update. Review Configure servers for the Rights Management connector for details on the configuration script, including how to run it and how to deploy the settings.
Organizations using Exchange Server with the Azure Rights Management Service Connector will be automatically opted out of the AES256-CBC mode update in Exchange Online and SharePoint Online until at least January 2024. Once you’ve completed the required updates for Exchange Server and the Connector, open a support case and request the setting to be updated to AES256-CBC.
Some organizations have longer lead times for patching. If your organization can’t apply the update or connector configuration changes across Exchange Server infrastructure by the end of August 2023, you must opt out of the AES256-CBC change on Microsoft 365 Applications. Failing to opt out of the AES256-CBC change or to install the Exchange Server patch will result in Exchange Server failing to decrypt protected emails for delivery to mobile devices, Outlook for Mac, and both Exchange Server eDiscovery and journaling. This article describes how to force AES128-ECB for these clients using registry settings and group policy: https://aka.ms/Purview/CBCDetails.
After your Exchange Server infrastructure is updated, you can remove or modify the setting to switch to AES256-CBC.
If your organization is not using the Azure Rights Management Service Connector or Active Directory Rights Management Server you do not need to opt out or open a support case to ask to opt out.
To validate, run Get-IrmConfiguration | Format-List InternalLicensingEnabled. If this value is false you do not need to opt out as part of this group. Your Exchange Server isn't configured to use Azure RMS or AD RMS.
Action Summary:
Any custom line-of-business (LOB) application or a 3rd party application capable of reading labels from a protected Office file or decrypting a protected Office file must update to Microsoft Information Protection SDK 1.13. Microsoft has notified major third-party application vendors of this required update. Please work with your application vendors to ensure that they’ve updated to MIP SDK 1.13.
Details on the update for MIP SDK 1.13
Office 2013, 2016, 2019, and 2021 (Office Perpetual clients) do not create AES256-CBC encrypted documents or emails by default. This needs to be turned on explicitly by customer using Group Policy settings. For additional details, review https://aka.ms/Purview/CBCDetails.
Organizations using Exchange Server must update Exchange Server and the RMS Connector Service configuration before deploying this Group Policy setting.
Office Perpetual clients require no update to consume AES256-CBC protected documents or emails.
If your organization is not using the Azure Rights Management Service Connector or Active Directory Rights Management Server you do not need to opt out or open a support case to ask to opt out.
To validate, run Get-IrmConfiguration | Format-List InternalLicensingEnabled. If this value is false you do not need to opt out as part of this group. Your Exchange Server isn't configured to use Azure RMS or AD RMS.
The Azure Information Protection (AIP) unified labeling client has been updated to support consumption of AES256-CBC protected Office documents. The updated package will need to be rolled out to your organization to enable decryption, scanning, and re-labeling of AES256-CBC protected Office content in the following apps:
This change does not affect the AIP add-in.
Reviewing the actions discussed in this article will help transition your organization to AES256-CBC, offering better protection for documents and emails in your organization. We’ve worked to make that transition seamless for cloud-native organizations. For organizations with on-premises services, we’ve worked to make the update as seamless as possible, but action is required to prevent issues with the update, and to ensure compatibility with on-premises workloads.
Timelines for this update may shift based on discovered issues or other delays. For the latest information on timelines, review the Microsoft 365 roadmap.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.