Forum Discussion

Dan_Snape's avatar
Dan_Snape
Steel Contributor
Aug 05, 2019

Transport rule for encrypted messages

I'm trying to configure a mail flow/transport rule in Exchange Online to add a banner to incoming messages that are encrypted. During testing, the rule does not get triggered, even though the received message has an Outlook notification that the message is encrypted. My rule is using the "if message type is encrypted" condition to add a disclaimer (prepend). Does anyone know how this can successfully be achieved?

  • Dan_Snape's avatar
    Dan_Snape
    Steel Contributor

    I think I've figured it out. Looks like the message type 'Permission controlled' deals with these type of messages, and I'm able to do exactly what I need using this as a condition in the transport rule.

  • ankit shukla's avatar
    ankit shukla
    Iron Contributor

    Dan_Snape Hi Dan,

     

    Can you Run Get-TransportRule -Identity "name of transport rule" | FL and share here (pls hide sensitive or confidential information including domain name. 

    Also , have you enforced the Transport Rule at the end of Transport rule.

     

    Cheers !

    Ankit Shukla

     

    • Dan_Snape's avatar
      Dan_Snape
      Steel Contributor

      VasilMichevDoing some more digging into this, transport decryption is enabled by default in Exchange Online and set to "Optional" so transport rules can in fact read messages protected using AAD RMS. I've tested and this works fine (a disclaimer is added successfully to these messages). So my mistake was thinking that the "encrypted" message type also referred to these types of messages, when in fact it only refers to S/MIME protected messages.

      I now need to find a condition I can use in a transport rule that can detect messages that have AAD RMS protection applied to it. We are using the "Encrypt" option in Outlook to do the protection which I understand uses the new OME, which uses AAD RMS (but I may be wrong)

  • Dan_Snape's avatar
    Dan_Snape
    Steel Contributor

    We currently have a rule that is prepending "EXT:" to the subject line of all messages from outside the organisation via an Exchange Online transport rule. This is also occurring on encrypted messages (coming from an external recipient also in Exchange Online). Is there any way I can create a condition to detect these encrypted messages and use this as an exclusion for this transport rule? I've tried using "if message type is encrypted" and if "X-MS-Exchange-CrossTenant-TransportEncryption-OmeV2LinkUrl' header contains "."" but with no success.

    Even better I could create a separate rule to tag these messages with "Encrypted:" and bypass the above rule.

    • VasilMichev's avatar
      VasilMichev
      MVP

      Depends on the type of encryption, how exactly are the messages being generated? RMS? OME? S/MIME? 

Resources