CollabDays NL 2022 - Albert Hoitingh - Encryption in M365 - Slideshare.pptx

#CollabDaysNL | @CollabDaysNL | www.collabdays.org/2022-nl
Albert Hoitingh
Sr. consultant Microsoft Purview | InSpark | NL
Encryption in Microsoft 365

OUR SPONSORS

Albert Hoitingh
@Alberthoitingh
https://linkedin.com/in/appieh
https://alberthoitingh.com
Sr. Consultant Microsoft 365 security,
compliance & risk @InSpark

• Microsoft 365 Encryption
• Microsoft Information Protection
• Office 365 Message Encryption
• Advanced settings
• Heads ups
TODAY’S SESSION

…the FBI recovered a blue 16GB SanDisk SD card…
…the SD card was wrapped in plastic and placed between two
slices of bread on half of a peanut butter sandwich….
Picture and information curtesy of: How a Navy veteran
allegedly stole classified submarine docs (taskandpurpose.com)

Encryption for
Microsoft 365
• Data at rest
• Data in transit
• Specific functions:
• Microsoft Information Protection
• Information Rights Management
• Office 365 Message Encryption

Licensing considerations
• Office/Microsoft 365 E3
• Microsoft 365 E5 Compliance
• E5 eDiscovery & Audit:
• Advanced eDiscovery
• E5 Information Protection & Governance:
• Customer Key
• Double Key Encryption
• Advanced Message Encryption
Notes
• Auto-classification is included in E5
Information Protection & Governance

Microsoft 365
Data at rest
• Bitlocker (many levels)
• Per-file encryption (every file and file-
update uses a unique encryption key)
• Data encryption policies (DEP)
• SharePoint Online and OneDrive for
Business
• Exchange Online
• All other Microsoft 365 services and
Microsoft Information Protection

Microsoft 365
Data in transit
• (Mutual) Transport Layer Security
(MTLS/TLS)
• Secure Real-Time Transport Protocol
(SRTP)
• Exchange IRM – s/MIME – OME

Encryption keys for
Microsoft 365
• Microsoft managed
• Customer Key / Bring Your Own Key (BYOK)
• Double Key (Microsoft Information
Protection)

Customer Key for
Microsoft 365
• Organization provides and controls
encryption keys
• Does not prevent access to data from
Microsoft personnel
• Can be set for different DEP’s
• Uses Azure Key Vault and Hardware
Security Modules (HSM) – requires at
least 1024 bits for MIP.

Double Key for
Microsoft Information
Protection
• For specific compliance reasons
• Can be set on the label
• Complex to implement and maintain
• Content is encrypted using the tenant key
and your own key
Notes
• Only works for Office apps and the
labeling client
• Restricts transport | Microsoft Delve |
eDiscovery | Content search/indexing |
Office Web Apps & co-authoring

SharePoint
Information
Rights
Management

Information Rights
Management (IRM)
• Only works for Office and PDF documents
• Works for documents in library and lists
• Requires AD RMS
• Somewhat limited (introduced in SP2010!)
• Use sensitivity labels instead
Notes
• Does not allow for co-authoring in the
Office apps
• Does not support Office Online
• https://<SPADMIN>.sharepoint.com/_layouts
/15/online/TenantSettings.aspx

Documents and e-mails
• Label applied to document/e-mail
• Label added as metadata, stays with document
• Can be configured to:
- Apply visual markings
- Encrypt the document
- Allow offline access
- Work within DLP policies
• Works with a hierarchy, parents and sublabels
• Does not provide retention!

Encryption and labels
• Uses Azure Rights Management and Azure AD accounts
• RMS Connector for Exchange on-premises
Microsoft Managed (Azure) key details
• Symmetric AES 128/256 bit
• Key protection: Asymmetric RSA 2048 bit
• Certificate signing: SHA-256
Notes
• Licensing requirements
• Limitations (Double Key: only Office apps)
• Azure AD accounts and B2B (OTP/guest account)
• Co-authoring and auto-save for Office

Encryption and labels

File-types are important
• Some types only support labeling (no
encryption)
• Office and PDF files: native clients
• Office and PDF files: Microsoft Edge
• Other supported files: AIP Viewer client
• Watch out for the file extension

Accounts are important
• Azure AD account is required
• Can also be a guest account | Microsoft
Live account | free RMS account
• One Time Passcode will not work
Notes
• Note the Azure AD B2B settings
• Note the All authenticated label setting
Set-SPOTenant -
EnableAzureADB2BIntegration

Co-authoring and auto-save
• No possible in Office apps when
encryption is enabled
• Can be enabled using GUI or PowerShell
• Changes labeling metadata

Beware of the integrated client…
It does not support
• Label inheritance from e-mail
• On-premises scanner
• Custom permissions independently from label
• Bar in Office
• File explorer integration
• PPDF support
• Powershell labeling cmdlets
Client V2.x Integrated client
Build into Office Apps
Unified Labeling client
• BYOK/Double Key encryption
• Usage logging event viewer
• Do not forward button Outlook
• Document tracking/revoking
• Protection only mode

Demo time!
Configuring encryption
settings in labels

Secure e-mail
• Exchange IRM or s/MIME (not for today)
• Sensitivity labels
• Encryption options Outlook - Do-not-forward
and Encrypt only (Options | Encrypt) or as
part of a label
Notes
• Known as Office 365 Message Encryption
• Mind working with attachments
• Encrypt only using a label is only
available in integrated client

Office 365 Message
Encryption (OME)
• Works with any email client
• Does not require a specific account for
the recipient (or does it?)
• Works with native Office functions and a
secure portal
• Standard options: Do-not-forward and
Encrypt only
Notes
• Does not offer any MFa-related options
(SMS for example)
• No easy “revoke” option
• Take encryption of attachments into
account!

Advanced Office 365 Message
Encryption
• Licensing: Microsoft/Office 365 E5 |
Microsoft 365 E5 Compliance | Microsoft
365 E5 Information Protection and
Governance
• Use mailrules based on sensitive
information types/keywords
• Message revocation and expiration
Notes
• For revocation and expiration to work,
you must restrict (force!) recipients to
work with the secure portal.

Encapsulated email message
• A protected e-mail becomes a .rpmsg file
• Outlook Apps (Windows, Mac, iOS/Android
and web) open natively
• Other (web) clients are redirected to the
secure portal
• File itself is always presented
Notes
• You cannot use the AIP Viewer to open
these files
• There’s a 25 MB limit per message

Office 365 Message Encryption -
Working with attachments
• Unprotected MS Office documents
• Protection is applied to the document
• Permissions differ between Do-not-forward and Encrypt
only (DnF: printing/copy not allowed)
• Mind the Azure AD (guest) account!
• Alternative: decrypt on download (PowerShell)

Demo time!
Office 365 Message Encryption

An example - Office 365 – Outlook web

An example – Gmail - webbrowser

An example – OME Secure Portal – including attachment

An example – Outlook client – preview screen

An example – Outlook – after opening

An example – Permissions on Word document

What about an e-mail with a
label with permissions?
• Email message and attachments are
protected
• Based on settings for the label
• If recipient is not part of the protection
– email will not be opened
• Emails can inherit the label of the
attachment, when higher

To think about
• Used to set specific configurations
• Either for the unified labeling client
• Or for the specific working of a function
• For more information: scan the QR code
• Some examples…

Advanced configurations PowerShell
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{EnableCustomPermissions="False"}
Disable the custom permissions option in the Windows File Explorer
Set-LabelPolicy -Identity “Policyname” -AdvancedSettings
@{OutlookWarnUntrustedCollaborationLabel=“Labelid"}
Warn, justify or block labeled messages or messages with specific labeled
attachments using a default message
Set-LabelPolicy -Identity “policyname” -AdvancedSettings
@{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}
Disregard the warn, justify or block action for specific (trusted) domains
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
Remove the encryption from email attachments when downloaded using the browser

Keep in mind
• Sharing an encrypted file | working with
guests
• Label/encrypt using DLP rules
• Decrypt file in SPO: Unlock-
SensitivityLabelEncryptedFile
• Metadata change, MSIP_ cannot be used
anymore

Keep in mind
• eDiscovery and encryption
• Advanced eDiscovery supports all
• Content search and core eDiscovery only
support previewing and exporting
encrypted attachments
• Super User role
• Encrypted PDF’s (Adobe Acrobat | Microsoft
Edge) & Digitally signed PDF’s

Keep in mind
• Migrating content can be difficult
• Keep in mind your encrypted content

Thank you!
@Alberthoitingh
https://linkedin.com/in/appieh
https://alberthoitingh.com
Many more info:
https://docs.microsoft.com/en-us/microsoft-
365/compliance/encryption?WT.mc_id=EM-MVP-
5003084

CollabDays NL 2022 - Albert Hoitingh - Encryption in M365 - Slideshare.pptx

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CollabDays NL 2022 - Albert Hoitingh - Encryption in M365 - Slideshare.pptx

Similar to CollabDays NL 2022 - Albert Hoitingh - Encryption in M365 - Slideshare.pptx (20)

More from Albert Hoitingh

More from Albert Hoitingh (20)

Recently uploaded

Recently uploaded (20)

CollabDays NL 2022 - Albert Hoitingh - Encryption in M365 - Slideshare.pptx