Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Tip
eDiscovery (preview) is now available in the new Microsoft Purview portal. To learn more about using the new eDiscovery experience, see Learn about eDiscovery (preview).
Encryption is an important part of your file protection and information protection strategy. Organizations of all types use encryption technology to protect sensitive content within their organization and ensure that only the right people have access to that content.
To run common eDiscovery tasks on encrypted content, eDiscovery managers are required to decrypt email message content when exported from content searches, Microsoft Purview eDiscovery (Standard) cases, and Microsoft Purview eDiscovery (Premium) cases. Content encrypted with Microsoft encryption technologies wasn't available for review until after export.
To make it easier to manage encrypted content in the eDiscovery workflow, Microsoft Purview eDiscovery tools now incorporate the decryption of encrypted files attached to email messages and sent in Exchange Online.1 Additionally, encrypted documents stored in SharePoint Online and OneDrive for Business are decrypted in eDiscovery (Premium)2.
Prior to this new capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, files that are encrypted with a Microsoft encryption technology is located on a SharePoint or OneDrive account are searchable and decrypted when the search results are prepared for preview, added to a review set in eDiscovery (Premium), and exported. Additionally, encrypted documents in SharePoint and OneDrive that are attached to an email message (as a copy) are searchable. This decryption capability allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they've been added to a review set in eDiscovery (Premium).
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
For Exchange, Microsoft Purview eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management (Azure RMS)3 and Microsoft Purview Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see Encryption and the various email encryption options available. Content encrypted by S/MIME or third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.
Note
The decryption of email messages sent with an Microsoft Purview Message Encryption custom branding template is not supported by Microsoft eDiscovery tools. When using an OME custom branding template, email messages are delivered to the OME portal instead of the recipient's mailbox. Therefore, you won't be able to use eDiscovery tools to search for encrypted messages because those messages are never received by the recipient's mailbox.
For SharePoint, content labeled with SharePoint online service are decrypted. Items labeled or encrypted in the client before uploading to SharePoint, legacy document library RMS templates or settings and S/MIME or other standards aren't supported2.
The following table identifies the supported tasks that can be performed in Microsoft Purview eDiscovery tools on encrypted files attached to email messages and encrypted documents in SharePoint and OneDrive. These supported tasks can be performed on encrypted files that match the criteria of a search. A value of N/A
indicates the functionality isn't available in the corresponding eDiscovery tool.
eDiscovery task | Content search | eDiscovery (Standard) | eDiscovery (Premium) |
---|---|---|---|
Search for content in encrypted files in sites and email attachments1 | No | No | Yes |
Preview encrypted files attached to email | No | No | Yes |
Preview encrypted documents in SharePoint and OneDrive | No | No | Yes |
Review encrypted files in a review set | N/A | N/A | Yes |
Export encrypted files attached to email | Yes | Yes | Yes |
Export encrypted documents in SharePoint and OneDrive | No | No | Yes |
The following table describes the decryption supported by eDiscovery (Standard) and eDiscovery (Premium) for email, email with attachments, and files hosted by SharePoint.
Item type | Task | eDiscovery (Standard) | eDiscovery (Premium) |
---|---|---|---|
Encrypted email | Search | Yes | Yes |
Encrypted email | Decryption to .pst | No | Yes |
Encrypted email | Decryption to file | Yes | Yes |
Encrypted mail and attachment | Search | No | Yes (with Advanced indexing)1 |
Encrypted mail and attachment | Decryption to .pst | No | Yes |
Encrypted mail and attachment | Decryption to file | No | Yes |
File in SharePoint with MIP label | Search | No | Yes |
File in SharePoint with MIP label | Decryption | No | Yes |
File in SharePoint with other encryption2 | Search, Decryption | No | No |
Important
eDiscovery (Standard) doesn't support legacy encryption protocols.
eDiscovery support for decryption of email messages and attachments is subject to the following limitations:
eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings:
For more information about these settings, see the "Configure encryption settings" section in Restrict access to content by using sensitivity labels to apply encryption.
Documents encrypted with the previous settings can still be returned by an eDiscovery search. This result may happen when a document property (such as the title, author, or modified date) matches the search criteria. Although these documents might be included in search results, they can't be previewed or reviewed. These documents will also remain encrypted when they're exported in eDiscovery (Premium).
Important
Decryption isn't supported for files that are locally encrypted and then uploaded to SharePoint or OneDrive. For example, local files that are encrypted by the Microsoft Purview Information Protection client and then uploaded to Microsoft 365 aren't supported. Only files that are encrypted in the SharePoint or OneDrive service are supported for decryption.
1 Encrypted files located on a local computer and copied to an email message aren't decrypted and indexed for eDiscovery. For eDiscovery (Premium), encrypted email and attachments in recipient mailbox needs to be advanced indexed to be decrypted. For more information about Advanced indexing, see Advanced indexing of custodian data.
2 Only items labeled in SharePoint (or uploaded to SharePoint after integration with sensitivity labels are enabled) and that have labels with admin-defined permissions and no expiration are decrypted. All other encrypted files in SharePoint aren't decrypted. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.
Other documents aren't decrypted, including:
3 Only content encrypted with RMS keys hosted in Microsoft 365 is transparently decrypted by eDiscovery (Premium). Double Key Encryption (DKE), Hold Your Own Key (HYOK), on-premises RMS, etc. aren't supported. For more information, see Planning and implementing your Azure Information Protection tenant key.
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowTraining
Module
Explore Microsoft Purview Message Encryption - Training
This module introduces Microsoft Purview Message Encryption, an online service that’s built on Microsoft Azure Rights Management and includes encryption, identity, and authorization policies to help organizations secure their email. MS-102
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.