Decryption in eDiscovery (preview)

Encryption is an important part of your file protection and information protection strategy. Organizations of all types use encryption technology to protect sensitive content within their organization and ensure that only the right people have access to that content.

To run common eDiscovery (preview) tasks on encrypted content, eDiscovery managers are required to decrypt email message content when exported from eDiscovery cases. Content encrypted with Microsoft encryption technologies wasn't available for review until after export.

To make it easier to manage encrypted content in the eDiscovery workflow, eDiscovery tools now incorporate the decryption of encrypted files attached to email messages and sent in Exchange Online.1 Additionally, encrypted documents stored in SharePoint and OneDrive are decrypted when premium eDiscovery features are enabled2.

Before this capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, files that are encrypted with a Microsoft encryption technology is located on a SharePoint or OneDrive account are searchable and decrypted when the search results are prepared for preview, added to a review set, and exported. Additionally, encrypted documents in SharePoint and OneDrive that are attached to an email message (as a copy) are searchable. This decryption capability allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they've been added to a review set when premium eDiscovery features are enabled.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Requirements for decryption in eDiscovery (preview)

  • Permissions: You have to be assigned the RMS Decrypt role to preview, review, and export files encrypted with Microsoft encryption technologies. You also have to be assigned this role to review and query encrypted files that are added to a review set in eDiscovery. This role is assigned by default to the eDiscovery Manager role group in the Microsoft Purview portal. For more information about the RMS Decrypt role, see Assign eDiscovery permissions.
  • Run the Inbox Repair tool on exported PST files: After you've exported PST files, we recommend that you run the Inbox Repair tool (ScanPST.exe) to diagnose and repair any errors in the PST files.

Supported encryption technologies

For Exchange, eDiscovery tools support items encrypted with Microsoft encryption technologies. These technologies are Azure Rights Management (Azure RMS)3 and Microsoft Purview Information Protection (specifically sensitivity labels). For more information about Microsoft encryption technologies, see Encryption and the various email encryption options available. Content encrypted by S/MIME or third-party encryption technologies isn't supported. For example, previewing or exporting content encrypted with non-Microsoft technologies isn't supported.

Note

The decryption of email messages sent with an Microsoft Purview Message Encryption custom branding template is not supported by Microsoft eDiscovery tools. When using an OME custom branding template, email messages are delivered to the OME portal instead of the recipient's mailbox. Therefore, you won't be able to use eDiscovery tools to search for encrypted messages because those messages are never received by the recipient's mailbox.

For SharePoint, content labeled with SharePoint online service are decrypted. Items labeled or encrypted in the client before uploading to SharePoint, legacy document library RMS templates or settings and S/MIME or other standards aren't supported2.

eDiscovery activities that support encrypted items

The following table identifies the supported tasks that can be performed in eDiscovery tools on encrypted files attached to email messages and encrypted documents in SharePoint and OneDrive. These supported tasks can be performed on encrypted files that match the criteria of a search. A value of N/A indicates the functionality isn't available in eDiscovery.

eDiscovery task eDiscovery Premium features enabled
Search for content in encrypted files in sites and email attachments1 No Yes
Preview encrypted files attached to email No Yes
Preview encrypted documents in SharePoint and OneDrive No Yes
Review encrypted files in a review set N/A Yes
Export encrypted files attached to email Yes Yes
Export encrypted documents in SharePoint and OneDrive No Yes

Supported decryption

The following table describes the decryption supported by eDiscovery for email, email with attachments, and files hosted by SharePoint.

Item type Task eDiscovery Premium features enabled
Encrypted email Search Yes Yes
Encrypted email Decryption to .pst No Yes
Encrypted email Decryption to file No Yes
Encrypted mail and attachment Search No Yes (with Advanced indexing)1
Encrypted mail and attachment Decryption to .pst No Yes
Encrypted mail and attachment Decryption to file No Yes
File in SharePoint with MIP label Search No Yes
File in SharePoint with MIP label Decryption No Yes
File in SharePoint with other encryption2 Search, Decryption No No

Important

eDiscovery doesn't support legacy encryption protocols.

Decryption limitations with email and attachments

eDiscovery support for decryption of email messages and attachments is subject to the following limitations:

  • Decryption isn't supported when the email or attachment encryption is applied in an external organization. eDiscovery only supports decryption for email and attachments that are encrypted in your organization.
  • When decrypting emails or attachments, the owner of the mailbox where the emails and attachments are included in eDiscovery activities must have access to view the encrypted content. Decryption for emails or attachments isn't supported if they're sent or forwarded other recipients that can't view the encrypted content. Changes in the owner's groups or other organization permissions may also affect decryption support.

Decryption limitations with sensitivity labels in SharePoint and OneDrive

eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings:

  • Users can assign permissions when they manually apply the label to a document. This is sometimes referred to as user-defined permissions.
  • User access to the document has an expiration setting that is set to a value other than Never.

For more information about these settings, see the "Configure encryption settings" section in Restrict access to content by using sensitivity labels to apply encryption.

Documents encrypted with the previous settings may be returned by an eDiscovery search. This result may happen when a document property (such as the title, author, or modified date) matches the search criteria. Although these documents might be included in search results, they can't be previewed or reviewed. These documents remain encrypted when they're exported when Premium eDiscovery features enabled.

Important

Decryption isn't supported for files that are locally encrypted and then uploaded to SharePoint or OneDrive. For example, local files that are encrypted by the Microsoft Purview Information Protection client and then uploaded to Microsoft 365 aren't supported. Only files that are encrypted in the SharePoint or OneDrive service are supported for decryption.

Decrypting RMS-protected email messages and encrypted file attachments using premium eDiscovery features

Any rights-protected (RMS-protected) email messages included in the results of a search are decrypted when you export them. This decryption capability is enabled by default for members of the eDiscovery Manager role group. This is because the RMS Decrypt management role is assigned to this role group by default.

Keep the following things in mind when exporting encrypted email messages and attachments:

  • If you enable decryption of RMS-protected messages when you export them, you have to export the search results as individual messages to support decryption.
  • Attachments encrypted separately from an email aren't decrypted. For example, if a user encrypts a Word document and then attaches to an email message that isn't encrypted, this attachment isn't decrypted.
  • Attachments encrypted as part of the encryption of the associated email message are decrypted. For example, if a user creates an email message, attaches an unencrypted Word document, and then encrypts the message (including the attachment), this attachment is decrypted.
  • Messages that are decrypted are identified in the ResultsLog report. This report contains a column named Decode Status, and a value of Decoded identifies the messages that were decrypted.
  • In addition to decrypting file attachments when exporting search results, you can also preview the decrypted file when previewing search results. You can only view the rights-protected email message after you export it.
  • If you need to prevent someone from decrypting RMS-protect messages and encrypted file attachments, you have to create a custom role group (by copying the built-in eDiscovery Manager role group), and then remove the RMS Decrypt management role from the custom role group. Then add the person who you don't want to decrypt messages as a member of the custom role group.

Notes

1 Encrypted files located on a local computer and copied to an email message aren't decrypted and indexed for eDiscovery. When premium eDiscovery features are enabled, encrypted email and attachments in recipient mailbox need to be advanced indexed to be decrypted.

2 Only items labeled in SharePoint (or uploaded to SharePoint after integration with sensitivity labels are enabled) and that have labels with admin-defined permissions and no expiration are decrypted. All other encrypted files in SharePoint aren't decrypted. For more information, see Enable sensitivity labels for files in SharePoint and OneDrive.

Other documents aren't decrypted, including:

  • Files encrypted in the client and uploaded before sensitivity labels were integrated with SharePoint.
  • Documents encrypted with legacy RMS templates and not labeled.
  • Documents with user-defined permissions or with expiration settings (SMIME or other standards).

3 Only content encrypted with RMS keys hosted in Microsoft 365 is transparently decrypted when premium eDiscovery features are enabled. Double Key Encryption (DKE), Hold Your Own Key (HYOK), on-premises RMS, etc. aren't supported. For more information, see Planning and implementing your Azure Information Protection tenant key.