When you have your Active Directory Certification Services (ADCS), your domain users can have certificates used to encrypt\decrypt emails. Your security department may want to get access to those encrypted emails, so you must provide private key of this user, so security-people can decrypt messages.
How can you do that?