Forum Discussion
Force external users to use OME Portal (versus decryption in Outlook for PC or Outlook Web Access)
AsTheCrowFlew Hello again Paul! As we both have spent quite some time on this conversation, how about making a "best response" to this reply to others for future reference?
1. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward per email. Do it manually.
2. To use OME standard setting and the default templates Encrypt-Only and Do Not Forward automatically not forcing a wrapper. Use EAC transport rules without adding custom branding.
3. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding selecting default 'OME Configuration'.
4. To use OME with additional configuration options and the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding templates (requires Advanced OME).
5. To force all external recipients to use the OME portal use https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#use-a-custom-template-to-force-all-external-recipients-to-use-the-ome-portal-and-for-encrypted-email
Obviously one could use PowerShell and other configuration options, but I believe this covers the "basics" pretty good.
Let me know if you put up a UV and I will vote on it.
ChristianBergstrom We currently encrypt messages on-demand with no transport rules (sends click Encrypt Only in their Outlook client when necessary). As expected, different recipients experience different behavior when receiving these messages. Some get a link (like gmail users), others try (successfully or not) to decrypt the message within their Outlook client. I'm looking for a way for everyone who is otherwise getting an encrypted message to get the link. In the example they provide (see below) it reads like it's going to encrypt every message, which is not what we want. I'll worry about selectively applying this logic to specific domains, but for right now I'd settle on a template that simply forces portal usage. You're right that I'm using basic OME. When I read the documentation on https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwide the section about forcing portal use sends me right back to where I started. I'll happily pay more, to get more but that Advanced OME article doesn't reference exactly what we're trying to accomplish
New-TransportRule -name "<All outgoing mail>" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "Encrypt" -ApplyRightsProtectionCustomizationTemplate "OME Configuration"
AsTheCrowFlew How did it go? Did you try the OME transport rules using EAC?
- If we send an encrypted message using Outlook -> Options -> Encrypt the recipient gets an encrypted message and can decrypt the message within their Outlook, all as expected. If we send using the transport rule you mentioned above (please note we had to add "sender is internal" and remove the "@" from the criteria) the recipient instead receives a wrapper with the "Read the Message" link taking them to the portal.
This moves us along in the troubleshooting but still leaves some questions:
1) This method is encrypting every message to that domain now, which is not what we wanted. The original ask was to force a "Read the Message" link.....if the message was meant to be encrypted in the first place
2) Does this mean that the Outlook -> Options -> Encrypt method isn't using the OME Configuration normally? Cause it seems like all the transport rule is doing is apply the configuration to the encrypted message. I didn't realize Outlook -> Options -> Encrypt skipped that part.
3) What about the OME Configuration is forcing this "Read the Message" link behavior. The configuration only has a few options and none of them suggest that it would force a link. Or more likely I'm an idiot and the Configuration by its very nature takes away the ability to decrypt the message inside the recipients Outlook.
To revise my original ask....based on bec094 opening my eyes.....can we apply an OME Configuration but only to messages that were meant to be encrypted in the first place. Bonus ask.....to do that selectively by domain.AsTheCrowFlew Thanks for the update!
Here goes... as far as I know after reading about it (needed refresh).
1. OME isn't that flexible.
2. Manual encrypt does not use the additional custom branding as specified in EAC transport rule (only default OME Configuration).
3. So then the custom branding doesn't force a link to the OME portal for all. *edit just re-read your post and noticed it does include wrapper to all as I suggested in the first place (yay)*, but instead is used for custom branding scenarios and some extra functionality as specified here https://docs.microsoft.com/en-us/microsoft-365/compliance/add-your-organization-brand-to-encrypted-messages?view=o365-worldwide
In short, you cannot use OME as you'd like.
- I would agree that it's not flexible and that manual encrypt does not apply configuration templates. I think your conclusion about OME not being able to do what I need might also be correct. But I disagree with #3. Based on MS's language from their article "Use a custom template to force all external recipients to use the OME Portal" and the results of the test you suggested - it does appear that applying the configuration wrapper nets the end-user having to use the portal. I believe the shortfall is that it doesn't address only applying the wrapper when you want to selectively encrypt messages. Maybe I'll have to move this to uservoice.