Customers using Exchange Online can take advantage of Microsoft Office 365 Message Encryption (Microsoft OME) as an online service built into Microsoft Azure Rights Management (Azure RMS) to encrypt Microsoft 365 email messages and various attachments.

Microsoft 365 Message Encryption is one of three different types of encryption available in Microsoft 365. The other two are Secure/Multipurpose Internet Mail Extensions (S/MIME) and Information Rights Management (IRM). Each has pros and cons. You can take a closer look at a comparison between the three types.

The encryption used by Microsoft Office 365 Message Encryption allows sending and receiving encrypted emails to recipients, both inside and outside your organization. In addition, it provides granular controls for administrators to decide which emails should be protected. It is easily controlled with Exchange Online transport rules.

If an email matches a transport rule configured for encryption, the message is encrypted automatically and requires no intervention by the end user. Once a recipient receives an encrypted email, they can decrypt the message using a one-time passcode, signing into their Microsoft account, or signing in with a work or school account that is connected to Microsoft 365. Microsoft 365 Message Encryption also allows recipients to receive encrypted emails and send encrypted replies without having a Microsoft 365 subscription.

Microsoft 365 Message Encryption features

The Office 365 Message Encryption solution provides the following features:

  • Encrypts sent emails and replies
  • Works with a recipient email address outside Microsoft 365, including Outlook.com, Yahoo, Gmail, and others
  • Provides granular controls as to which emails are encrypted and which are not
  • Requires no installed software for the sender or receiver
  • Fits many use cases, including a bank sending credit card statements to customers, doctor's offices sending medical documents to patients, attorneys sending confidential legal information to clients, etc.

Note: There is an important limitation to be aware of with Office 365 Message Encryption (OME). It does not prevent users from forwarding or printing an encrypted message received using OME encryption. If businesses must control and prevent users from forwarding and printing encrypted emails, they will need another encryption solution.

Does Microsoft Office 365 Message Encryption encrypt data at rest?

With Microsoft Office 365 Message Encryption, emails are encrypted "in-flight." However, Microsoft already has "data at rest" encryption taken care of by default. They use BitLocker Drive Encryption in their datacenters to encrypt email data stored locally on the hard drives of the hosted environment. This means you don't have to purchase additional services to ensure you have encryption for your email data at rest.

Enabling Microsoft Office 365 Message Encryption

Before you can use the Microsoft OME feature, you need to have a plan that supports it. Office 365 Message Encryption is included with Office 365 Enterprise E3 and E5, Microsoft 365 Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5.

If you are on one of these plans, you don't need additional licensing. Notably, you can also add Azure Information Protection Plan 1 as a standalone SKU to Exchange Online Plan 1, Exchange Online Plan 2, Office 365 F1, Microsoft 365 Business Basic, Microsoft 365 Business Standard, or Office 365 Enterprise E1.

Once you have Azure Information Protection on and available, Office 365 Message Encryption functionality can be verified using Exchange Online PowerShell.

Connect to your Microsoft 365 Exchange Online Environment using Exchange Online PowerShell:

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -ShowProgress $true

Run the Get-IRMConfiguration cmdlet. This cmdlet tests whether the RMS templates are available, licensed, and ready to use. The value of AzureRMSLicensingEnabled should be True.

Running the Get IRMConfiguration cmdlet in Exchange Online

Running the Get IRMConfiguration cmdlet in Exchange Online

Now, we can run the Test-IRMConfiguration cmdlet to test the RMS templates. With the output of the Test-IRMConfiguration, you should see OVERALL RESULT: PASS at the bottom. The syntax is as follows:

Test-IRMConfiguration -Sender user@yourorg.onmicrosoft.com -Recipient user@yourorg.onmicrosoft.com
Running the Test IRMConfiguration cmdlet to test the RMS templates

Running the Test IRMConfiguration cmdlet to test the RMS templates

Now that we have confirmed the Test-IRMConfiguration passes, we need to add transport rules to turn on the new OME encryption. Navigate to your Exchange Online Admin Center > Mail flow > Rules > Apply Office 365 Message Encryption and rights protection to messages…

Creating a new mail flow rule to apply Microsoft Office 365 Message Encryption

Creating a new mail flow rule to apply Microsoft Office 365 Message Encryption

In the new rule dialog box, you can define the types of messages to apply the Microsoft Office 365 Message Encryption and rights protection policy. For example, in the below, I have defined:

  • Apply this rule if—The subject or body includes.
  • Then I entered the word "confidential."
  • Result—Messages sent with the subject or body containing the word "confidential" will be encrypted with OME encryption.
Apply Microsoft Office 365 Message Encryption and rights protection to email messages

Apply Microsoft Office 365 Message Encryption and rights protection to email messages

Final notes

Historically, implementing encryption solutions with email and other technologies has been complex and challenging. However, with Microsoft Office 365 Message Encryption, Microsoft has provided a built-in solution that requires minimal configuration or technical expertise to provide email encryption.

Subscribe to 4sysops newsletter!

It requires running a Microsoft 365 subscription that includes Azure Information Protection (AIP). However, you can add AIP to other supported plans as a standalone SKU. Once added, implementing email encryption is as easy as adding mail flow rules that define which emails are encrypted.

avataravatar
1 Comment
  1. Srinivas 3 months ago

    Very informative, thank you.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account