The document outlines encryption methods in Microsoft 365, including features like customer key, double key encryption, and Microsoft Purview message encryption. It provides information on data protection strategies such as encryption for data at rest and in transit, as well as key management protocols and compliance considerations. Additionally, it highlights the significance of eDiscovery, sensitivity labels, and implications for co-authoring and data sharing within the Microsoft 365 environment.

1. Albert Hoitingh
Encryption in Microsoft 365
Start 7:45

2. Encryption in Microsoft 365

3. Principal consultant
Microsoft Security MVP
Albert
Hoitingh

4. (1) Encryption
for Microsoft
365
workloads
(2) Customer
Key and
Double Key
(3) Microsoft
Information
Protection
(4) Microsoft
Purview
Message
Encryption
(5) Things to
keep in mind
Today’s agenda

5. Encryption in Microsoft 365 and Purview

6. 1.At rest In transit Specific
functions
Different scopes

7. Short side note…

8. Short side note…

9. 1.Basic
functions
eDiscovery
(Premium)
Customer Key
Double Key
Encryption
Advanced
Managed
Encryption
Licensing considerations

10. Data at rest
Per-file encryption (SPO)
BitLocker – on many levels
Data Encryption Policies (DEPs)
SharePoint Online and OneDrive
Exchange Online
All other Microsoft 365 services, incl. Microsoft Purview
Information Protection

11. Data in transit
Secure Real-Time Transport Protocol (SRTP)
(Mutual) Transport Layer Security (MTLS/TLS)
Exchange IRM – s/MIME – OME
https://www.adaptivedigital.com/secure-rtp/

12. Key management

13. 1.Microsoft
managed
Customer key Double Key
Encryption
(MPIP)
Key management

14. Microsoft managed
SharePoint Online, OneDrive
Exchange Online

15. Customer key
Access by Microsoft
Organization in control
Different DEPs, including multi-geo
Azure Key Vault
Hardware Security Modules

16. Customer Key
SharePoint Online, OneDrive
Exchange Online

17. Customer Key per DEP
Two Azure Subscriptions
Create and
configure
(Premium) Azure
Key Vault and keys
Onboard to
Customer Key
https://learn.microsoft.com/en-us/purview/customer-key-set-up

18. Customer Key per DEP
https://learn.microsoft.com/en-us/purview/customer-key-set-up

19. Customer Key status

20. Double Key Encryption
Tenant key and organizational key
Office Apps | Sensitivity labels
Impairs specific functions

21. Software DKE
service, GitHub
Deploy
service,
publish key
Create labels
with DKE
Double Key Encryption

22. Sensitivity labels

23. Items and labels
Encryption |
Visual markings |
Offline availability
Label stays with item
Hierarchy is important

24. 1.Content key
Symmetric
AES256-CBC
(Cypher Block
Chaining)
Key protection
Asymmetric
RSA 2048 bit
Certificate
signing
SHA-256
Encryption standards

25. How it works

26. Filetypes are important
Microsoft Purview Information
Protection Viewer client
Native clients | Microsoft Edge
Watch out for the file extension | some
types only support classification

27. Identities are important
Microsoft Live | Guest | RMS
Entra ID accounts
Set-SPOTenant -
EnableAzureADB2BIntegration

28. Identities are important
Microsoft Live | Guest | RMS
Entra ID accounts
Set-SPOTenant -
EnableAzureADB2BIntegration

29. Consequences
eDiscovery | content search
Co-authoring | auto-save
Microsoft 365 Copilot

30. Consequences
eDiscovery | content search
Co-authoring | auto-save
Microsoft 365 Copilot

31. Consequences
eDiscovery | content search
Co-authoring | auto-save
Microsoft 365 Copilot

35. Microsoft Purview Message Encryption

36. Secure e-mail in Microsoft 365

37. Any recipient
and e-mail
client
Secure web-
portal
Do not forward
Encrypt only
Microsoft Purview Message Encryption

38. Advanced message encryption
Mail rules using sensitive
information types
Revocation and expiration
Information
Protection and
Governance
Compliance E5
Microsoft 365

39. Encapsulated e-mail message
Outlook: opens natively
.pmsg file
MPIP viewer does not work
Secure web-portal

40. E-mail attachments
Do not forward | Encrypt only
Non-protected
Office document
Protected
Office document
Mind the Entra ID account
Set-IRMConfiguration - DecryptAttachmentForEncryptOnly <$true|$false>

41. Run-through Message Encryption

49. Things to think about

50. Tips and tricks
Sharing encrypted files
Older metadata model (MPIP_)
Decrypt documents from SPO:
Unlock-SensitivityLabelEncryptedFile
Super User role
eDiscovery (Premium)
Encrypted/Signed PDFs
Guaranteed SharePoint
Permissions

51. What about migrating?
https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-
migrations?view=o365-worldwide

52. THANK YOU
Are there any questions?
Please evaluate this session in the App.

53. Next session 10:10 – 11:00
The Graph API StarterKit for AVD and W365 automation