[ComodoHacker]

>while all organization accounts are end-to-end encrypted, it is still possible for organization admins to access the emails of other organization users. Thus, organizational oversight and management is still possible, even with end-to-end encryption. Furthermore, administrative read permissions are also granted or revoked automatically when admin users are created or demoted.

I wonder how can they provide this without either storing encryption keys on their servers or reencrypting (client-side!) all email during such events.

[bartbutler]

It's a key escrow system. The admins hold a copy of the user's key, and promoting a new admin involves giving access to this key.

[ComodoHacker]

So where is this copy stored?

[ThePhysicist]

Interesting! You could probably do it by using the key of an existing admin to decrypt the escrow key and then reencrypt it with the public key of the new admin, all client-side.