Forum Discussion
Product Feedback for Advanced Message Encryption
mikedoneghan Hello, just gonna add my two cents.
Office Message Encryption is a great built-in encryption tool for emails with the options Encrypt-only and Do Not Forward. That's kind of what you can do with, and only use the default OME template.
Now I haven't worked with Advanced OME but here you have more possibilities with branding/templates. You can use multiple and specify more granular options, and not all email have to be encrypted. I assume you've looked in the EXO admin center and played around with possible scenarios as which custom branding template to use and apply O365 Message Encryption or not? And as you mention, you can revoke access in some scenarios. But when you use custom branding you're using the wrapper all the time, hence more secure as the recipient needs to access to OME portal and then you have the possibility to revoke access and set expiration date. Bear in mind that revoke and recall are different things.
The docs have several articles about OME and Advanced OME, perhaps you've already browsed through them but I recommend you go there and have look.
If you want to use a more secure and governance approach you shouldn't look at OME really. But instead DLP and sensitivity labels. You can revoke with the latter if using the unified client. As an admin you always have the possibility. For these two tools you also have the audit log where you can find things like SensitivityLabeledFileOpened
ChristianJBergstrom Many thanks for your response. I've played around with Advanced Message Encryption custom branding templates, and it seems that the Do not Forward and Encrypt options only use the standard OME template, so you can't force a link-based experience with these. However it is possible to create a rule to use a custom template which forces a link-based experience, but this only works if the transport rule is for all emails sent in the organisation are to be encrypted, which we don't want. This Tech Community article sheds some light on this.
You mentioned using DLP and sensitivity labels, however I have already setup a sensitivity label and get the same behaviour as if the Encrypt option were used, i.e. it only uses a link-based experience if all emails are encrypted by a transport rule, and not selectively based on the sensitivity label being used.
If you've managed to implement sensitivity label(s) which allows a link-based experience (thus allowing revocable emails) for *all* (including Office 365 / Outlook.com) recipients, and which doesn't force every email to be encrypted, then I'd be interested to hear how you've achieved that.
You mentioned the unified client, I had to look that up. I read that Microsoft are planning on deprecating Office Apps and using only OWA. So are you referring to OWA being the unified client? If so I think you can only revoke emails using OWA anyway.
Regarding SensitivityLabeledFileOpened, is this a variable to detail whether an email has been read, or is it only for an attached file?
- Nov 24, 2021
mikedoneghan Wow, many questions. You know I have a day job right? 😉 As with the previous conversation from a year ago, which you linked to, I believe I did some deeper testing and ended with a reply from my OME findings (my old account).
Just to give you an example.
I used this right now and the wrapper showed up in my Outlook client (M365 desktop app). As I don't have Advanced OME I cannot use other branding than default OME Configuration. You on the other hand can choose multiple (if created) by clicking on the OME Config link, and the Encrypt link, and add other conditions and combine them.
If using sensitivity labels you don't have to go here. Those were previously named AIP labels/templates. OME is simply a small part of "AIP" using the rights management feature for the email/attachment. Sensitivity labels are all data everywhere, not only email.
You should instead work with your organization so the business classifies your data and from those results IT sets up sensitivity labels and label policies which you publish to your users apps, configuring permissions for them or letting them decide themselves, enforce in Outlook or Office apps (Word, PowerPoint, Excel). Add Data Loss Prevention where you have so many settings which can even prevent your users from accidentally send emails or documents to the wrong recipient using policy tips and policy notifications.
I meant the downloadable "AIP" unified labeling client. And I haven't heard a thing about discontinuing M365 apps.
As for you final question perhaps this will answer it How to Report Audit Events Generated for Sensitivity Labels - Office 365 for IT Pros (office365itpros.com)
- mikedoneghanNov 26, 2021Copper Contributor
ChristianJBergstrom Thanks for your support! I have been tasked with setting up sensitivity labels and policies for our organisation in Office 365, with a view to using them in Outlook, as well as for all files in SharePoint as well. However note that I also tested the transport rule you quoted using a sensitivity label (applied from within OWA), and I'm stuck with the same problem of it encrypting all sent emails (with a link-based experience) rather than only those with the sensitivity label applied.
I've been trying to get the Unified Labeling Client you mentioned working so I can try this from the Outlook app (in case it has a different behaviour which does what I want, i.e. display a link-based experience for only each email sent using a sensitivity label), but I could do with a hand as no labels are showing.
I've created a label:-
And also created a policy to publish the label to myself (without any policy settings though as I don't want to force anything yet) :-
Also here are my licenses:-
However no labels are showing in the Unified Labelling Client:-
But the sensitivity label does show in OWA though:-
Am I missing a step here? The Unified Labelling Client admin guide doesn't to mention anything else which needs doing. There doesn't seem to be any other way to configure it.
All the best,
Mike
- Nov 26, 2021Hello! I honestly think it’s better if you ask for assistance using the official support. Not my intention if that sounds impolite in any way. It’s just too complex and time consuming as a community member.