Forum Discussion
Encryption confusion
I do light Office 365 admin for a number of clients, always under Office 365 Business Premium subscriptions. I'm confused about encryption, that either does exist, or not, and where it does and doesn't.
I read the following link, and as is often the case, there's plenty about the technology, but nothing about where it is implemented, namely, which subscription level you need to get it.
https://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption
So bottom line: if a small business under Office 365 Business Premium asks the question: "Is our email encrypted?", I find myself unable to be certain 100%. I do know it is encrypted in transit between email servers, and presumably it is encrypted from sender to the Office 365 servers, due to Outlook having that Security tab under Account Settings with a (greyed out) checkmark saying "encrypt data between Microsoft Outlook and Microsoft Exchange". If so, this means we're good from the sender, through to the far end of the Office 365 infrastructure, leaving only the recipient server and client end in question. Is that all correct?
Any pointers to a real description of this stuff and not the confusing (yet technically interesting) type of link as the one I put in above would be appreciated! π
Thank you.
Does this help, its the best explanation I have seen:
βExchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security.
For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. This is because, in simple terms, TLS doesn't encrypt the message, just the connection.
If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption.β
https://docs.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections
This provides how various measures help and where they are implemented
https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protections
This provides info on the broader topics:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide#encryption-for-data-at-rest-and-data-in-transit
The licence requirements for OME are discussed here:
https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide#what-subscriptions-do-i-need-to-use-the-new-ome-capabilities
Hope that helps.
7 Replies
Does this help, its the best explanation I have seen:
βExchange Online always attempts to use TLS first to secure your email but cannot always do this if the other party does not offer TLS security.
For Exchange Online, we use TLS to encrypt the connections between our Exchange servers and the connections between our Exchange servers and other servers such as your on-premises Exchange servers or your recipients' mail servers. Once the connection is encrypted, all data sent through that connection is sent through the encrypted channel. However, if you forward a message that was sent through a TLS-encrypted connection, that message isn't necessarily encrypted. This is because, in simple terms, TLS doesn't encrypt the message, just the connection.
If you want to encrypt the message you need to use an encryption technology that encrypts the message contents, for example, something like Office Message Encryption.β
https://docs.microsoft.com/en-us/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections
This provides how various measures help and where they are implemented
https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-encryption-risks-and-protections
This provides info on the broader topics:
https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide#encryption-for-data-at-rest-and-data-in-transit
The licence requirements for OME are discussed here:
https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-faq?view=o365-worldwide#what-subscriptions-do-i-need-to-use-the-new-ome-capabilities
Hope that helps.
I currently have the same question and concern. From what I could understand is that outlook.com can or you have the opportunity to encrypts emails. From what I could have read from the following article: https://support.office.com/en-us/article/learn-about-encrypted-messages-in-outlook-com-3521aa01-77e3-4cfd-8a13-299eb60b1957
But I still don't know for business purposes if this also abides for us. We currently have Business Essential only licenses, but my question still resides: Are emails send using Outlook 2019 Desktop Client encrypted through office365 Exchange?
But when it comes to Office365 Exchange you get a whole different story.
https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-new-message-encryption-capabilities?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/email-encryption?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/compliance/ome?view=o365-worldwide
I guess we'll count Cian's reply as our answer? I have to do some reading, a lot of links provided by you guys !:) Thank you so much for taking the time. I'll have to actually schedule say an hour to review all this because it's a lot, so if you have thoughts prior, please post. Thanks again!
It's saying encryption is applied during the transfer of information between clients and hosts which secures the connection and everything that travels through it. The messages themselves aren't encrypted but they are protected during transit. When sending emails externally, Exchange Online will always try to use a secure connection, but this won't always be possible depending on how the recipient's email system is configured.
To ensure messages are encrypted and can only be opened by the intended recipient, OME encrypts the contents and applies controls to ensure messages are secure, wherever emails are being sent to.
