Home
Microsoft

Admin control for attachments now available in Office 365 Message Encryption

Summary

 

Administrators can now control whether Office attachments are protected for recipients outside of Office 365 when the Encrypt-Only template is used.  This was a key ask from Office 365 Message Encryption customers and is now available as a tenant-level setting.

 

Background

 

We have now made it possible for administrators to control how Encrypt-Only behaves for attachments shared with recipients outside of Office 365. By default, when a user sends an email and attachments using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout lifecycle of the content. Previously, recipients outside of Office 365, such as Gmail users, could not open rights-protected attachments in Office clients (desktop, mobile, browser). Because of this, customers also requested that Encrypt-only attachments should be decrypted for recipients outside of Office 365 upon download. 

 

What is available

 

Admins can control whether attachments from the Office Message Encryption portal are downloaded with or without protection. Details on implementing the settings are below.

 

When the recipient signs-in to the Office 365 Message Encryption portal, they can preview attachments as before. 

 

pix 1.png

  

If the control to decrypt the attachment is enabled, the document will be decrypted upon download and the recipient will be able to view it normally. Additionally, the content that is downloaded will remain decrypted unless additional protections are applied by the user.

 

pic 3.png

 

Scope

 

This setting is available for the Encrypt-only template and not for the Do Not Forward or Custom templates.

 

It’s enforced at the tenant level and applies to the document when the non-Office 365 user downloads the Office attachment from the Office 365 Message Encryption portal.

 

This setting does not apply to Office 365 users who use Outlook for Windows, or Outlook on the web to consume protected email. They will continue to receive encrypted content directly in these Outlook clients.

 

How to control the setting

 

To manage whether to allow recipients to download Encrypt-only attachments without encryption from the Office 365 Message Encryption portal, follow these steps:

 

  1. Connect to Exchange Online Using Remote PowerShell (see https://aka.ms/exopowershell)
  2. Run the Set-IRMConfiguration cmdlet with the DecryptAttachmentFromPortal parameter as follows:

Set-IRMConfiguration -DecryptAttachmentFromPortal <$true|$false>

 

For example, to allow download of attachments without protection for Encrypt-only:

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

 

If you decide that you want to revert the setting and keep attachments protected even after download:

Set-IRMConfiguration -DecryptAttachmentFromPortal $false

  

Additional Resources

 

This was a key ask from customers that require non-Office 365 recipients to download and open the Office attachment in the Office client. We hope this additional control can provide more flexibility in collaborating on protected content for non-Office 365 users. Your feedback matters- leave us a comment below or go to uservoice and submit your feedback/vote! 

 

For additional resources on Office 365 Message Encryption - you can find them below:

 

 

 

25 Comments
Senior Member

Its a great announcement after Encrypt feature, appreciate your continuous efforts to make customers flexible to use 'Encrypt' feature.

 

I have couple of queries regarding this,

1. If a non-O365 user forwards the email to O365 user will the document remains encrypted for O365 user? 

2. If a O365 user (who are not on the earlier version - 1804 of Outlook) forwards the email to non-O365 user from OME portal, will the attachment gets decrypted for non-O365 users?

Occasional Contributor

It is a welcoming feature, but how reliable is it, we still have to test it out

 

Comment edited to add the following sentence.

Please make thing simple....Not powershell please.

Regular Visitor

Desperately need this feature! When will it complete rollout to our tenancy?

Microsoft

@P Roby, the feature is fully rolled out.

 

@Vamsi the feature allows download without encryption from the OME portal for any recipient. It doesn't matter which identity forwarded the email to the recipient.

Regular Visitor

This what I receive 

 

A parameter cannot be found that matches parameter name 'DecryptAttachmentFromPortal'.
+ CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
+ PSComputerName : outlook.office365.com

Microsoft

This is unexpected. If anyone else runs into this issue, they should open a support ticket.

Hi When will you add support for scoped RMS templates in Exchange transport rules ? We cannot move to Azure based RMS due to that.
Microsoft

Scoped RMS templates in ETRs is coming very soon. Though can't give a public eta yet.

New Contributor

Any restriction on the Office version to be able to open the decrypted attachment?  Such as Office 2010 or older?  Currently working through an issue with a client that they are unable to open a word document.  Getting the message 'You do not have credentials that allow you to open this document. You can request updated permission from *@*.com. Do you want to request updated permission?

Senior Member

Great news and I have run the PS command. Now external users can open attachments without being asked for any other account details.

 

We are only using the two RMS Templates:

1.jpg

The above is from an ETR/Mail Flow rule I setup to test. When I send attachment (Excel) to that non Office 365 email address I receive the email stating 'Galvin, Mark (mark.galvin@xxxxxxx.co.uk) has sent you a protected message.'. I have click the link and it opens in the OME Portal. I have then clicked the 'request one-time passcode to view the message' (as I am testing this from the perspective of a user that does not have Office 365 or any other Microsoft account). Once the one time passcode arrives in my non Office 365 account, I copy the passcode and it opens the email in the OME portal. I then am able to download the Excel file and open without any issue.

 

Using same Office 365 account I can use the 'Protect' --> 'Encrypt' option in OWA:

2.JPG

Same result as the ETR/Mail Flow rule - perfect.

 

Now, we mainly use Outlook 2016 ProPlus so I need that Encrypt option to appear in Outlook Desktop. I had read from here that we need to have at least the 1804 build, so I have updated to the 1806 version:

3.jpg

 

Restarted Outlook and I do not see the Encrypt button anywhere. I have tried under 'Options' then 'Permissions' but just see the 'Connect to Rights Management Server to get templates' and when I click on that nothing happens.

 

I have installed the AIP Client (we have the Azure Information Protection Plan 1 license on top of our E3 license) but that only gives me any Labels setup in AIP Portal and not the Encrypt option. It does give me the Do Not Forward option but when I click on it it gives error.

 

Any one know how to get working please?

 

thanks

Mark

 

Senior Member

Managed to get it to work although I'm not sure if it was this or just being patient! I sent a test email from OWA to an external account (which also has a redirect all incoming email back to my Office 365 account). when I tried to open that encrypted email I get:

---------------------------
Microsoft Outlook
---------------------------
Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.
---------------------------
OK
---------------------------

 

Before that appeared, a box briefly appeared what looked like it was connecting to the server and then in a new email:

4.JPG

Senior Member

I have sent a test email from Outlook (Office 365 E3) to my iCloud and another Office 365 (Business Premium) that I have. 

 

iCloud - works perfectly. I get the 'Galvin, Mark (mark.galvin@) has sent you a protected message.' email and I get click the link to open the OME portal and get the one time pass code etc- cool.

 

Other Office 365 account - when I double click that email in Outlook I get the 'Sorry, something went wrong opening Information Rights Management protected content. The request is not supported.' error. Open OWA for that second account and in the message preview window I see the email and its attachment. Double click it and:

5.JPG

 

Any ideas here?

 

Thanks

Mark

Regular Visitor

Still Waiting for the command to be made available. I was promised end of June by support!

Senior Member

@P Roby- what command are you waiting for?

 

Thanks

Mark

Regular Visitor

@Mark Galvin

 

$UserCredential = Get-Credential

 

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

 

Import-PSSession $Session

 

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

 

Output

A parameter cannot be found that matches parameter name 'DecryptAttachmentFromPortal'.
+ CategoryInfo : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
+ PSComputerName : outlook.office365.com

 

 

 

 

 

Senior Member

@P Roby

 

If you run 'Get-IRMConfiguration' once connected what do you see? Once I have run the 'Set-IRMConfiguration -DecryptAttachmentFromPortal $true' and then the 'Get-IRMConfiguration' I get:

10.JPGPlease post what you get.

 

thanks

Mark

Regular Visitor
Senior Member

@P Robyoh snap.  thats odd. I take you are a global admin?

Regular Visitor

@Mark Galvin

 

Yes i am global admin.

 

I really hope its just a case of waiting for it roll out properly to our tenancy.

Regular Visitor

Hi.

I wondering on how we can open the mail in the portal if we want to decrypt the attached documents. If we do send to an Office 365 customer or internal recipient with new Outlook, the inline function works. But then we are unable to decrypt the documents?

Regular Visitor

 

 @P Roby  Did you manage to find a solution to this? 

 

I'm getting the exact same error running ps command. 

 

I've spoken to MS Office 365 support. They've repeatedly sent me an out of date link to download Windows Management Framework 5.0 (https://www.microsoft.com/en-us/download/details.aspx?id=) Checking the version, I'm already running version 5.1. 

 

They're now telling me to use Internet Explorer! 

Regular Visitor

@Alex Bean No joy at all yet, I am going to raise another ticket. I personally think our tenancy has not yet been updated. I really need this feature!

Regular Visitor

@Alex Bean

 

I have now resolved the issue with tech support. The tenancy hadn't finished the upgrade to our existing admin accounts. However creating a new admin account and running the command as the new account worked!

Microsoft

@P Roby@Alex Bean@Christian Knarvik@Mark Galvin@Vamsi Krishna Gunta, thanks for your questions and engaging with us here. Due to the interest and general questions, we decided to host an AMA. Note, that it's not just for questions but we are also using this as an opportunity to get feedback on new investments. We hope you can join us tomorrow! https://techcommunity.microsoft.com/t5/Office-365-Encryption-AMA/Announcing-an-Office-365-Message-En...

Regular Visitor

@Caroline ShinArgh. I was on vacation, so I missed this.. Is it still possible to get an answer to my question? :)  I wondering on how we can open the mail in the portal if we want to decrypt the attached documents. If we do send to an Office 365 customer or internal recipient with new Outlook, the inline function works. But then we are unable to decrypt the documents?