Encrypted SharePoint Files (Purview)

FAQ: Migrating Microsoft Purview Protected Content from SharePoint to Nextcloud

This document addresses common questions about migrating files protected by Microsoft Purview Sensitivity Labels from SharePoint Online to Nextcloud using SMART Migration.

—-

Understanding the Challenge

What is Microsoft Purview?

Microsoft Purview (formerly Microsoft Information Protection / Azure Information Protection) is Microsoft’s data governance and compliance platform. It provides tools for classifying, labeling, and protecting sensitive content across Microsoft 365.

What are Sensitivity Labels?

Sensitivity Labels are classification tags applied to documents and emails that can:

  • Apply visual markings (headers, footers, watermarks)
  • Enforce encryption using Azure Rights Management (RMS)
  • Control access permissions (who can open, edit, print, copy)
  • Travel with the file, even when downloaded or shared externally

Common label examples include “Public”, “Internal”, “Confidential”, “Restricted”, and “Highly Restricted”.

Why can’t SMART Migration migrate encrypted files directly?

When a file is protected with a Sensitivity Label that enforces encryption, the file content is encrypted using Azure Rights Management (RMS). This encryption is independent of SharePoint permissions.

When SMART Migration (or any tool using CSOM/Graph API) downloads a protected file, it receives the encrypted blob — not the readable content. Decryption requires:

  1. A separate call to Azure RMS
  2. An identity that is authorized to decrypt the specific file
  3. Use of the Microsoft Information Protection (MIP) SDK

SharePoint Global Admin permissions do not automatically grant decryption rights. RMS permissions are a separate authorization layer.

—-

Summary

Migrating Microsoft Purview protected content to Nextcloud requires a coordinated approach:

  1. Decryption is mandatory — Encrypted files cannot be migrated in their protected state
  2. Super User access — Required for bulk decryption operations
  3. Label metadata can transfer — Classification information preserved via tags/MetaVox
  4. Enforcement must be rebuilt — Nextcloud native controls replace Purview policies
  5. Architecture matters — Consider separate instances for high-sensitivity content

SMART Migration handles the migration workflow; decryption is performed using Microsoft’s tooling with appropriate administrative access.

—-

Preparing for Migration

What must be done before migrating encrypted content?

Encrypted files must be decrypted before migration to Nextcloud. There are several approaches:

Approach Description Best For
Super User decryption Configure a service account as RMS Super User to bulk-decrypt Large-scale automated migration
Owner-initiated removal File owners manually remove protection Small number of files, user-driven process
Label policy change Temporarily modify label to remove encryption requirement Organization-wide approach with governance approval

How do we configure Super User access for bulk decryption?

The customer’s IT administrator must perform these steps:

# PowerShell - Requires AIPService module
# Connect to the AIP service
Connect-AipService

# Enable the Super User feature (disabled by default)
Enable-AipServiceSuperUserFeature

# Add a service account or app registration as Super User
Add-AipServiceSuperUser -ServicePrincipalId "<app-registration-guid>"
# Or for a user account:
Add-AipServiceSuperUser -EmailAddress "migration-service@contoso.com"

# Verify configuration
Get-AipServiceSuperUser

Important: Super User access should be:

  • Granted only for the duration of the migration project
  • Logged and audited
  • Revoked immediately after migration completes

How do we actually decrypt the files?

Decryption requires the Microsoft Information Protection (MIP) SDK. A typical approach:

  1. Download encrypted files from SharePoint to a staging location
  2. Run a decryption tool using MIP SDK with Super User credentials
  3. Migrate the decrypted files using SMART Migration
  4. Securely delete the staging copies
# Example PowerShell using AIP unified labeling client
# Remove protection from files in a folder
$files = Get-ChildItem -Path "C:\Migration\Staging" -Recurse -File
foreach ($file in $files) {
    Set-AIPFileLabel -Path $file.FullName -RemoveProtection
}

Note: The exact tooling depends on customer environment and preferences. SMART Migration can provide guidance but the decryption step is performed using Microsoft’s tools.

—-

Migration Process

What is the recommended migration workflow for protected content?

  1. Inventory — Identify all files with Sensitivity Labels, especially those with encryption (Restricted, Highly Restricted)
  2. Classify — Separate encrypted from non-encrypted labeled content
  3. Prepare — Configure Super User access and decryption tooling
  4. Decrypt — Create unprotected copies in a secure staging environment
  5. Migrate — Use SMART Migration to transfer content to Nextcloud
  6. Apply Nextcloud controls — Map classifications to Nextcloud tags, folders, or access controls
  7. Cleanup — Securely delete staging copies, revoke Super User access
  8. Verify — Confirm all content migrated successfully with appropriate metadata

What happens to the Sensitivity Label metadata after migration?

The label metadata (the classification name and properties) can be preserved and mapped to Nextcloud equivalents:

SharePoint/Purview Nextcloud Equivalent Notes
Sensitivity Label name Nextcloud Tag or MetaVox property Classification preserved for reference
Visual markings Not applicable Document markings remain in content if embedded
Encryption Nextcloud server-side encryption or separate instance Different technology, requires re-implementation
Access policies Nextcloud sharing permissions / ACLs Must be recreated based on Nextcloud capabilities

Important: The enforcement of Sensitivity Labels does not transfer. Nextcloud does not understand or enforce Microsoft Purview policies. Equivalent controls must be configured natively in Nextcloud.

Can SMART Migration map Sensitivity Labels to Nextcloud metadata?

Yes. SMART Migration can:

  • Read the Sensitivity Label metadata from SharePoint files
  • Map label names to Nextcloud tags
  • Map label names to MetaVox custom properties
  • Use labels as criteria for routing files to different Nextcloud locations

This preserves the classification information for audit and organizational purposes, even though enforcement requires native Nextcloud configuration.

—-

Architecture Considerations

Should encrypted content go to a separate Nextcloud instance?

This is a valid and often recommended approach. Benefits include:

  • Clear security boundary — High-sensitivity content isolated at infrastructure level
  • Simplified access control — Restrict who can even reach the instance
  • Different backup/retention policies — Apply stricter data handling rules
  • Reduced blast radius — Compromise of one instance doesn’t expose all classification levels
  • Compliance clarity — Easier to demonstrate controls for auditors

SMART Migration supports migrating to multiple Nextcloud targets, making this architecture straightforward to implement.

What Nextcloud features can replace Purview encryption?

Nextcloud offers several protection mechanisms:

  • Server-side encryption — Encrypts files at rest on the server
  • End-to-end encryption (E2EE) — Client-side encryption for designated folders
  • File access control rules — Automated rules based on tags, user groups, or file properties
  • Secure drop folders — Write-only folders for sensitive submissions
  • External storage with encryption — Encrypted connections to backend storage

These are different technologies than Microsoft RMS and require separate configuration and user training.

—-

Compliance and Governance

What should be documented for compliance purposes?

Maintain records of:

  • Which files had which Sensitivity Labels before migration
  • When and how decryption was performed
  • Who had Super User access and for what duration
  • Mapping between Purview labels and Nextcloud controls
  • Verification that equivalent protections are in place post-migration

SMART Migration logs can provide migration audit trails. Decryption activities should be logged separately using Microsoft’s audit capabilities.

Are there legal considerations when removing encryption?

Potentially yes. The customer should verify:

  • Regulatory requirements that mandated encryption (GDPR, HIPAA, industry-specific rules)
  • Contractual obligations regarding data protection
  • Internal policies about handling classified content
  • That equivalent or stronger protections exist in the target environment

This is a governance decision for the customer, not a technical migration decision.

—-

Practical Considerations

How many files typically have encryption-enforcing labels?

In most organizations, only a small percentage of files have Restricted or Highly Restricted labels with encryption. Common distributions:

  • Public / Internal: 80-95% of files (usually no encryption)
  • Confidential: 5-15% of files (may or may not have encryption)
  • Restricted / Highly Restricted: 1-5% of files (typically encrypted)

Organizations that recently implemented Sensitivity Labels often have even fewer encrypted files.

What if we cannot decrypt certain files?

If specific files cannot be decrypted (lost keys, orphaned permissions, departed users), options include:

  • Identify file owners through SharePoint metadata and request they remove protection
  • Use compliance tools to identify content and make governance decisions
  • Document the files as unmigrated with reasons
  • Leave encrypted copies in a “problem files” location for later resolution

Can users continue working during the migration?

Yes, but with considerations:

  • Newly protected files created during migration may need a second pass
  • Consider a cutover window where protection changes are frozen
  • Communicate to users that label enforcement will change post-migration

—-

SMART Migration Capabilities

What does SMART Migration handle in this scenario?

Task SMART Migration Customer/Microsoft Tools
Download files from SharePoint
Decrypt RMS-protected files ✓ (MIP SDK)
Map Sensitivity Label metadata
Upload to Nextcloud
Create Nextcloud tags from labels
Set Nextcloud permissions
Configure Nextcloud encryption ✓ (Nextcloud admin)

What information does SMART Migration need from the customer?

  • List of Sensitivity Labels in use and their encryption settings
  • Mapping requirements: which labels map to which Nextcloud tags/locations
  • Access to decrypted content (staging location or inline decryption pipeline)
  • Nextcloud target configuration (single instance or multiple)
  • Desired folder structure and permission model in Nextcloud

—-

Summary

Migrating Microsoft Purview protected content to Nextcloud requires a coordinated approach:

  1. Decryption is mandatory — Encrypted files cannot be migrated in their protected state
  2. Super User access — Required for bulk decryption operations
  3. Label metadata can transfer — Classification information preserved via tags/MetaVox
  4. Enforcement must be rebuilt — Nextcloud native controls replace Purview policies
  5. Architecture matters — Consider separate instances for high-sensitivity content

SMART Migration handles the migration workflow; decryption is performed using Microsoft’s tooling with appropriate administrative access.

—-

Last modified: 15 December 2025