Forum Discussion
Force external users to use OME Portal (versus decryption in Outlook for PC or Outlook Web Access)
AsTheCrowFlew Hello again Paul! As we both have spent quite some time on this conversation, how about making a "best response" to this reply to others for future reference?
1. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward per email. Do it manually.
2. To use OME standard setting and the default templates Encrypt-Only and Do Not Forward automatically not forcing a wrapper. Use EAC transport rules without adding custom branding.
3. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding selecting default 'OME Configuration'.
4. To use OME with additional configuration options and the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding templates (requires Advanced OME).
5. To force all external recipients to use the OME portal use https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#use-a-custom-template-to-force-all-external-recipients-to-use-the-ome-portal-and-for-encrypted-email
Obviously one could use PowerShell and other configuration options, but I believe this covers the "basics" pretty good.
Let me know if you put up a UV and I will vote on it.
AsTheCrowFlew Hello, well when you're using the built-in OME your options are rather limited as you can only choose between Encrypt-Only and Do Not Forward. I haven't tried to set it up as you mentioned. But to answer your question it's the -ApplyRightsProtectionCustomizationTemplate parameter that will force the recipient to use the OME portal. I assume you only have one template? The default name is the "OME Configuration". You can adjust that one if you'd like to. Don't know how to use it for selective users as the -FromScope is either InOrganization or NotInOrganization.
ChristianBergstrom We currently encrypt messages on-demand with no transport rules (sends click Encrypt Only in their Outlook client when necessary). As expected, different recipients experience different behavior when receiving these messages. Some get a link (like gmail users), others try (successfully or not) to decrypt the message within their Outlook client. I'm looking for a way for everyone who is otherwise getting an encrypted message to get the link. In the example they provide (see below) it reads like it's going to encrypt every message, which is not what we want. I'll worry about selectively applying this logic to specific domains, but for right now I'd settle on a template that simply forces portal usage. You're right that I'm using basic OME. When I read the documentation on https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwide the section about forcing portal use sends me right back to where I started. I'll happily pay more, to get more but that Advanced OME article doesn't reference exactly what we're trying to accomplish
New-TransportRule -name "<All outgoing mail>" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "Encrypt" -ApplyRightsProtectionCustomizationTemplate "OME Configuration"
AsTheCrowFlew How did it go? Did you try the OME transport rules using EAC?
- If we send an encrypted message using Outlook -> Options -> Encrypt the recipient gets an encrypted message and can decrypt the message within their Outlook, all as expected. If we send using the transport rule you mentioned above (please note we had to add "sender is internal" and remove the "@" from the criteria) the recipient instead receives a wrapper with the "Read the Message" link taking them to the portal.
This moves us along in the troubleshooting but still leaves some questions:
1) This method is encrypting every message to that domain now, which is not what we wanted. The original ask was to force a "Read the Message" link.....if the message was meant to be encrypted in the first place
2) Does this mean that the Outlook -> Options -> Encrypt method isn't using the OME Configuration normally? Cause it seems like all the transport rule is doing is apply the configuration to the encrypted message. I didn't realize Outlook -> Options -> Encrypt skipped that part.
3) What about the OME Configuration is forcing this "Read the Message" link behavior. The configuration only has a few options and none of them suggest that it would force a link. Or more likely I'm an idiot and the Configuration by its very nature takes away the ability to decrypt the message inside the recipients Outlook.
To revise my original ask....based on bec094 opening my eyes.....can we apply an OME Configuration but only to messages that were meant to be encrypted in the first place. Bonus ask.....to do that selectively by domain.
AsTheCrowFlew Hello again, I understand the process and your requested scenario as well. I think.
I would like to suggest that you use OME with transport rules using the portal instead as the PowerShell example is just an example how to enable it for all.
You can select the default OME Config but if you would like to use custom branding I believe you will require the Advanced OME.
That should do it, I hope. Let me know.
