Exports of Exchange Online Search Results Now Decrypt Attachments

Posted on by Tony Redmond

Decryption of Exported Documents

Office 365 notification MC225739 (3 November) reports that eDiscovery exports will support decryption for attachments in Exchange (Online). The pointer to the Microsoft 365 roadmap refers to item 68704, which says:

eDiscovery managers will be able to collect and review content encrypted with Microsoft encryption technologies and attached as a local copy to an email in Exchange from the Advanced eDiscovery solution.”

I asked the engineering group if decryption for exports would also apply for Core eDiscovery (the type you get with Office 365 E3) and received an affirmative response.

Deployment begins soon and is due to be complete worldwide by early December.

Protected Messages and Their Attachments

Exchange Online decrypts protected messages (messages assigned a sensitivity label with encryption) when items found by a content search were exported. Decryption only happens when search results are exported to individual (MSG) files rather than to a PST. Up to now, any protected attachments (files assigned sensitivity labels with encryption) remained encrypted, which created a problem for investigators who needed to see the content, or when content needed to be reviewed before it was turned over as the result of a GDPR data subject request.

One solution is to assign an account super-user permission for rights management and have them use that permission to decrypt the documents. While effective, this is problematic because super-user permission allows access to any encrypted content in a tenant. It’s more convenient (and safer) to have Exchange use its permissions to decrypt both messages and attachments as search results are exported from mailboxes.

Edge and Exports

Although any browser supported by Office 365 can create and run content searches and eDiscovery cases, you must use the Edge browser to download and install the Microsoft 365 eDiscovery Export program. This tool is created with Microsoft’s ClickOnce technology, and is used to download the results of a search from Azure to local storage. A recent change to Edge means that you might have to configure your browser to enable support for ClickOnce.

To do this, open a tab in Edge and go to edge://flags/#edge-click-once. Make sure that ClickOnce support is enabled (Figure 1).

Enabling support for ClickOnce in Edge to allow Office 365 content search exports to run
Figure 1: Enabling support for ClickOnce in Edge to allow Office 365 content search exports to run

If ClickOnce is not enabled, you can download the Microsoft 365 eDiscovery Export tool, but it won’t run. It took me a couple of times before I figured out what was going on. I’m sure the penny will drop for you sooner.

Learn more about how content searches work and how to export the results found by the searches in the Office 365 for IT Pros eBook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.