During my session at the National Museum for Compu ting I described the encryption option and pitfalls when using Microsoft 365.

1. BLETCHLEY
PARK 2022
A Microsoft 365 Community
COLLABORATION CONFERENCE
Wednesday, 23rd February 2022
Encryption in Microsoft 365
Albert Hoitingh

2. BLETCHLEY
PARK 2022
Thank you to all our Sponsors
Silver
Platinum
Gold
Silver
Community
Sponsor
Lunch
Sponsor

3. InSpark
Albert Hoitingh
@Alberthoitingh
https://linkedin.com/in/appieh
https://alberthoitingh.com
Sr. Consultant Microsoft 365 security, compliance & risk
@InSpark

4. Today’s
session
Microsoft 365 Encryption
Microsoft Information
Protection
Office 365 Message
Encryption
Heads up

5. …the FBI recovered a blue 16GB SanDisk SD card…
…the SD card was wrapped in plastic and placed between two
slices of bread on half of a peanut butter sandwich….
Picture and information curtesy of: How a Navy veteran
allegedly stole classified submarine docs (taskandpurpose.com)

6. Microsoft 365
encryption

7. Encryption for
Microsoft 365
• Data at rest
• Data in transit
• Specific functions:
• Microsoft Information Protection
• Information Rights Management
• Office 365 Message Encryption

8. Licensing considerations
• Office/Microsoft 365 E3
• Microsoft 365 E5 Compliance
• E5 eDiscovery & Audit:
• Advanced eDiscovery
• E5 Information Protection & Governance:
• Customer Key
• Double Key Encryption
• Advanced Message Encryption
Notes
• Auto-classification is included in E5
Information Protection & Governance

9. Microsoft 365
Data at rest
• Bitlocker (many levels)
• Per-file encryption (every file and file-
update uses a unique encryption key)
• Data encryption policies (DEP)
• SharePoint Online and OneDrive for
Business
• Exchange Online
• All other Microsoft 365 services and
Microsoft Information Protection

10. Microsoft 365
Data in transit
• (Mutual) Transport Layer Security
(MTLS/TLS)
• Secure Real-Time Transport Protocol
(SRTP)
• Exchange IRM – s/MIME – OME

11. Encryption keys for
Microsoft 365
• Microsoft managed
• Customer Key / Bring Your Own Key (BYOK)
• Double Key (Microsoft Information
Protection)

12. Customer Key for
Microsoft 365
• Organization provides and controls
encryption keys
• Does not prevent access to data from
Microsoft personnel
• Can be set for different DEP’s
• Uses Azure Key Vault and Hardware
Security Modules (HSM) – requires at
least 1024 bits for MIP.

13. Double Key for
Microsoft Information
Protection
• For specific compliance reasons
• Can be set on the label
• Complex to implement and maintain
• Content is encrypted using the tenant key
and your own key
Notes
• Only works for Office apps and the
labeling client
• Restricts transport | Microsoft Delve |
eDiscovery | Content search/indexing |
Office Web Apps & co-authoring

14. SharePoint
Information
Rights
Management

15. Information Rights
Management (IRM)
• Only works for Office and PDF documents
• Works for documents in library and lists
• Requires AD RMS
• Somewhat limited (introduced in SP2010!)
• Use sensitivity labels instead
Notes
• Does not allow for co-authoring in the
Office apps
• Does not support Office Online
• https://<SPADMIN>.sharepoint.com/_layouts
/15/online/TenantSettings.aspx

16. Demo time!
Where to find the
IRM settings

17. Sensitivity
labels

18. Documents and e-mails
• Label applied to document/e-mail
• Label added as metadata, stays with document
• Can be configured to:
- Apply visual markings
- Encrypt the document
- Allow offline access
- Work within DLP policies
• Works with a hierarchy, parents and sublabels
• Does not provide retention!

19. Encryption and labels
• Uses Azure Rights Management and Azure AD accounts
• RMS Connector for Exchange on-premises
Microsoft Managed (Azure) key details
• Symmetric AES 128/256 bit
• Key protection: Asymmetric RSA 2048 bit
• Certificate signing: SHA-256
Notes
• Licensing requirements
• Limitations (Double Key: only Office apps)
• Azure AD accounts and B2B (OTP/guest account)
• Co-authoring and auto-save for Office

20. Encryption and labels

21. File-types are important
• Some types only support labeling (no
encryption)
• Office and PDF files: native clients
• Office and PDF files: Microsoft Edge
• Other supported files: AIP Viewer client
• Watch out for the file extension

22. Accounts are important
• Azure AD account is required
• Can also be a guest account | Microsoft
Live account | free RMS account
• One Time Passcode will not work
Notes
• Note the Azure AD B2B settings
• Note the All authenticated label setting
Set-SPOTenant -
EnableAzureADB2BIntegration

23. Co-authoring and auto-save
• No possible in Office apps when
encryption is enabled
• Can be enabled using GUI or PowerShell
• Changes labeling metadata

24. Beware of the integrated client…
It does not support
• Label inheritance from e-mail
• On-premises scanner
• Custom permissions independently from label
• Bar in Office
• File explorer integration
• PPDF support
• Powershell labeling cmdlets
Client V2.x Integrated client
Build into Office Apps
Unified Labeling client
• BYOK/Double Key encryption
• Usage logging event viewer
• Do not forward button Outlook
• Document tracking/revoking
• Protection only mode

25. Demo time!
Configuring encryption
settings in labels

26. Office 365
Message
Encryption

27. Secure e-mail
• Exchange IRM or s/MIME (not for today)
• Sensitivity labels
• Encryption options Outlook - Do-not-forward
and Encrypt only (Options | Encrypt) or as
part of a label
Notes
• Known as Office 365 Message Encryption
• Mind working with attachments
• Encrypt only using a label is only
available in integrated client

28. Office 365 Message
Encryption (OME)
• Works with any email client
• Does not require a specific account for
the recipient (or does it?)
• Works with native Office functions and a
secure portal
• Standard options: Do-not-forward and
Encrypt only
Notes
• Does not offer any MFa-related options
(SMS for example)
• No easy “revoke” option
• Take encryption of attachments into
account!

29. Advanced Office 365 Message
Encryption
• Licensing: Microsoft/Office 365 E5 |
Microsoft 365 E5 Compliance | Microsoft
365 E5 Information Protection and
Governance
• Use mailrules based on sensitive
information types/keywords
• Message revocation and expiration
Notes
• For revocation and expiration to work,
you must restrict (force!) recipients to
work with the secure portal.

30. Encapsulated email message
• A protected e-mail becomes a .rpmsg file
• Outlook Apps (Windows, Mac, iOS/Android
and web) open natively
• Other (web) clients are redirected to the
secure portal
• File itself is always presented
Notes
• You cannot use the AIP Viewer to open
these files
• There’s a 25 MB limit per message

31. Office 365 Message Encryption -
Working with attachments
• Unprotected MS Office documents
• Protection is applied to the document
• Permissions differ between Do-not-forward and Encrypt
only (first is more restrictive)
• Mind the Azure AD (guest) account!
• Alternative: decrypt on download (PowerShell)

32. Demo time!
Office 365 Message Encryption

33. An example - Office 365 – Outlook web

34. An example – Gmail - webbrowser

35. An example – OME Secure Portal – including attachment

36. An example – Outlook client – preview screen

37. An example – Outlook – after opening

38. An example – Permissions on Word document

39. What about an e-mail with a
label?
• Email message and attachments are
protected
• Based on settings for the label
• If recipient is not part of the protection
– email will not be opened
• Emails can inherit the label of the
attachment, when higher

40. What about an e-mail with a
label?
• Email message and attachments are
protected
• Based on settings for the label
• If recipient is not part of the protection
– email will not be opened
• Emails can inherit the label of the
attachment, when higher

41. To think
about…

42. Advanced configurations PowerShell
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{EnableCustomPermissions="False"}
Disable the custom permissions option in the Windows File Explorer
Set-LabelPolicy -Identity “Policyname” -AdvancedSettings
@{OutlookWarnUntrustedCollaborationLabel=“Labelid"}
Warn, justify or block labeled messages or messages with specific labeled
attachments using a default message
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}
Disregard the warn, justify or block action for specific (trusted) domains
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
Remove the encryption from email attachments when downloaded using the browser

43. Keep in mind
• Sharing an encrypted file | working with
guests
• Label/encrypt using DLP rules
• Decrypt file in SPO: Unlock-
SensitivityLabelEncryptedFile
• Metadata change, MSIP_ cannot be used
anymore

44. Keep in mind
• eDiscovery and encryption
• Advanced eDiscovery supports all
• Content search and core eDiscovery only
support previewing and exporting
encrypted attachments
• Super User role
• Encrypted PDF’s (Adobe Acrobat | Microsoft
Edge) & Digitally signed PDF’s

45. Keep in mind
• Migrating content can be difficult
• Keep in mind your encrypted content

46. BLETCHLEY
PARK 2022
Thank You!

47. InSpark
Thank you!
@Alberthoitingh
https://linkedin.com/in/appieh
https://alberthoitingh.com
Many more info:
https://docs.microsoft.com/en-us/microsoft-
365/compliance/encryption?WT.mc_id=EM-MVP-
5003084