A significant challenge for a software vendor like Microsoft is to develop new features while ensuring support for older software versions. The RMS encryption used in Microsoft Purview has been around for 20 years and was released alongside Office 2003. The major advantage compared to other encryption solutions is that the Office suite has built-in support that does not require any additional logins, certificates, or dependencies, as long as all parties are using Microsoft Office and can authenticate through Azure Active Directory.

Over time, the algorithm used in RMS has been enhanced. In 2011, the organization key transitioned from 1024 to 2048 RSA. Additionally, the content key, which had previously utilized 128-bit AES encryption with ECB block mode, was upgraded to 256-bit AES encryption with CBC block mode. The content key enhancement occurred when support for encrypting file types beyond Office files was introduced. However, Microsoft couldn’t increase encryption within Microsoft Office as long as there was a requirement to support Office 2010 and other apps and services, which only supports the older algorithm.

Two days ago, Microsoft announced that in August, they will be enhancing the encryption for all supported Office applications that utilize RMS encryption within Microsoft Purview. This enhancement includes increasing the content key encryption to 256-bit AES for Microsoft Office files and emails.

What do we, as customers, need to do?

This change will happen automatically through the online service and does not require any manual intervention.

Customers using on-premises services such as a local Exchange Server with an RMS connector need to ensure that they have updated these services.

If your organization has made customizations or developed custom applications or add-ins that utilize RMS encryption from Azure RMS, these need to be adapted for the change. Details about the required changes and options to disable this encryption change can be found here: Encryption algorithm changes in Microsoft Purview Information Protection