The advent of sensitivity labels within Office 365 should lead to more use of rights management to protect email and documents. Rights management uses encryption to enforce the permissions assigned to those who receive information. Microsoft automatically enables rights management for Office 365 E3 and E5 tenants and email can be protected without making any further changes using the Encrypt-Only and Do Not Forward templates.
The downside of using rights management to protect documents stored in SharePoint Online and OneDrive for Business libraries is that indexing cannot process encrypted content. The metadata (properties) of encrypted documents are processed and included in the indexes, but the actual content inside the Word, Excel, PowerPoint, or PDF files are not.
Encryption Blocks Some Office 365 Features
The lack of indexing means that any Office 365 feature which depends on the SharePoint indexes don’t work with encrypted documents. You can’t find documents using SharePoint or Delve searches, and you can’t find them with Office 365 content searches. That is, unless the metadata of the encrypted files contains the keyword you use for the search. If this is the case, the search succeeds because the metadata is included in the index.
The situation is different with Exchange email because Exchange is able to decrypt protected messages and include them in the index.
A Search Example
Take the example where we have:
- A protected email sent to one other recipient in the tenant. The search keyword is in the body of the message.
- A protected Word document with the search keyword in the body of the file.
- A protected Word document with the search keyword in the body of the file and in one of the document properties (like the Title or Comments).
When we search, we should find two copies of the message (from the mailboxes of the sender and the recipient) and the second Word document (based on the metadata). The first Word document remains invisible to search because the information we search for is in the encrypted body. The content search shown below illustrates the point. We can see the two messages and single document.
If you do unearth some encrypted content in a content search, you can decrypt protected email during the export process, but encrypted documents are exported intact. This means that you must decrypt those files to allow investigators to review their content (I describe how in this Petri.com article).
Microsoft to Improve Situation?
Microsoft is doing a great deal to make encrypted content easier to generate within Office 365. It will take time for tenants to understand and adopt functionality like sensitivity labels, but it will happen. Hopefully, we’ll see an improvement in the discoverability of protected documents in SharePoint and OneDrive.
For more information about sensitivity labels, see Chapter 24 of the Office 365 for IT Pros eBook. Content searches are covered in Chapter 20, and Delve is in Chapter 9.