Forum Discussion

Brass Contributor

Sep 15, 2020

Solved

Force external users to use OME Portal (versus decryption in Outlook for PC or Outlook Web Access)

https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#ensure-all-external-recipients-use-the-ome-portal-to-read-encrypted-mail section of ...

microsoft 365

ChristianBergstrom
Sep 18, 2020
AsTheCrowFlew Hello again Paul! As we both have spent quite some time on this conversation, how about making a "best response" to this reply to others for future reference?

1. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward per email. Do it manually.
2. To use OME standard setting and the default templates Encrypt-Only and Do Not Forward automatically not forcing a wrapper. Use EAC transport rules without adding custom branding.
3. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding selecting default 'OME Configuration'.
4. To use OME with additional configuration options and the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding templates (requires Advanced OME).
5. To force all external recipients to use the OME portal use https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#use-a-custom-template-to-force-all-external-recipients-to-use-the-ome-portal-and-for-encrypted-email

Obviously one could use PowerShell and other configuration options, but I believe this covers the "basics" pretty good.

Let me know if you put up a UV and I will vote on it.

AsTheCrowFlew

Brass Contributor

Sep 18, 2020

I would agree that it's not flexible and that manual encrypt does not apply configuration templates. I think your conclusion about OME not being able to do what I need might also be correct. But I disagree with #3. Based on MS's language from their article "Use a custom template to force all external recipients to use the OME Portal" and the results of the test you suggested - it does appear that applying the configuration wrapper nets the end-user having to use the portal. I believe the shortfall is that it doesn't address only applying the wrapper when you want to selectively encrypt messages. Maybe I'll have to move this to uservoice.

ChristianBergstrom

Silver Contributor

Sep 18, 2020

AsTheCrowFlew Hello again Paul! As we both have spent quite some time on this conversation, how about making a "best response" to this reply to others for future reference?

1. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward per email. Do it manually.

2. To use OME standard setting and the default templates Encrypt-Only and Do Not Forward automatically not forcing a wrapper. Use EAC transport rules without adding custom branding.

3. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding selecting default 'OME Configuration'.

4. To use OME with additional configuration options and the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding templates (requires Advanced OME).

5. To force all external recipients to use the OME portal use https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#use-a-custom-template-to-force-all-external-recipients-to-use-the-ome-portal-and-for-encrypted-email

Obviously one could use PowerShell and other configuration options, but I believe this covers the "basics" pretty good.

Let me know if you put up a UV and I will vote on it.

AsTheCrowFlew
Brass Contributor
Sep 19, 2020
ChristianBergstrom
UV: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/41434339-create-a-mechanism-to-wrap-an-ome-configuration-to