Administrators can now control whether Office attachments are protected for recipients outside of Office 365 when the Encrypt-Only template is used. This was a key ask from Office 365 Message Encryption customers and is now available as a tenant-level setting.
We have now made it possible for administrators to control how Encrypt-Only behaves for attachments shared with recipients outside of Office 365. By default, when a user sends an email and attachments using Encrypt-only, the Office attachments are also protected with Encrypt-Only permissions and that encryption persists throughout lifecycle of the content. Previously, recipients outside of Office 365, such as Gmail users, could not open rights-protected attachments in Office clients (desktop, mobile, browser). Because of this, customers also requested that Encrypt-only attachments should be decrypted for recipients outside of Office 365 upon download.
Admins can control whether attachments from the Office Message Encryption portal are downloaded with or without protection. Details on implementing the settings are below.
When the recipient signs-in to the Office 365 Message Encryption portal, they can preview attachments as before.
If the control to decrypt the attachment is enabled, the document will be decrypted upon download and the recipient will be able to view it normally. Additionally, the content that is downloaded will remain decrypted unless additional protections are applied by the user.
This setting is available for the Encrypt-only template and not for the Do Not Forward or Custom templates.
It’s enforced at the tenant level and applies to the document when the non-Office 365 user downloads the Office attachment from the Office 365 Message Encryption portal.
This setting does not apply to Office 365 users who use Outlook for Windows, or Outlook on the web to consume protected email. They will continue to receive encrypted content directly in these Outlook clients.
To manage whether to allow recipients to download Encrypt-only attachments without encryption from the Office 365 Message Encryption portal, follow these steps:
Set-IRMConfiguration -DecryptAttachmentFromPortal <$true|$false>
For example, to allow download of attachments without protection for Encrypt-only:
Set-IRMConfiguration -DecryptAttachmentFromPortal $true
If you decide that you want to revert the setting and keep attachments protected even after download:
Set-IRMConfiguration -DecryptAttachmentFromPortal $false
This was a key ask from customers that require non-Office 365 recipients to download and open the Office attachment in the Office client. We hope this additional control can provide more flexibility in collaborating on protected content for non-Office 365 users. Your feedback matters- leave us a comment below or go to uservoice and submit your feedback/vote!
For additional resources on Office 365 Message Encryption - you can find them below:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.