A year and a half ago, we launched new Office 365 Message Encryption capabilities, and at the heart of these updates, we made it easier for users to collaborate on protected messages with anyone and on any device. These updates included empowering end users to apply encryption and read encrypted emails directly in Outlook, and also making it easier for non-Office 365 recipients to use their Google or Yahoo identities to authenticate and read encrypted messages.


Our goal continues to be to protect our customers’ sensitive data, by making it easier to apply and consume encrypted messages, regardless if your recipient is inside or outside your organization. Unfortunately, protecting and controlling sensitive data that’s shared outside your organization is more challenging than if it was shared inside your organization.


That’s why we are investing in capabilities that not only enhance encryption, but also provide more control over access to encrypted emails by external recipients.


Today, we are excited to share new Office 365 Advanced Message Encryption capabilities that enable admins to apply multiple custom email templates, and to expire and revoke encrypted emails accessed through the Office 365 web portal.


Read further to understand what’s available in Advanced Message Encryption.


Apply multiple custom email templates

Many organizations require custom email templates that reflect the unique brand, logo or text of the department or region the encrypted email came from. For example, a regional office in France may require that the email template that external recipients receive are in French.


With Advanced Message Encryption, customers can apply more than one custom email template. That means you can change, for example, the logo, color, and text of email template. Today, this is done through a PowerShell cmdlet.


Once the custom template is created, in the Exchange admin center, you can create a mail flow rule that applies the custom template based on set conditions. For example, if the message contains the key word ‘confidentiel’, for example, the email will be automatically applied with the desired encryption policy and custom template.




Expire access to encrypted emails

Another benefit to creating custom branded email templates is the ability to also set an expiration date as an added option to the template.


This may be valuable for organizations that have compliance obligations that require you to restrict how long external recipients can access sensitive emails per organizational policies or regulatory requirements.


With Office 365 Advanced Message Encryption, you can apply automatic policies that can detect sensitive information types (e.g. PII, Financial or Health IDs) or keywords, then enhance protection by expiring access through the Office 365 web portal to encrypted emails.


To enable this, once the custom email template is created in PowerShell with the desired expiration date, in the Exchange admin center, admins can apply the template based on the set conditions.


expiration_Health ID.png


After the template is applied, the sender can send email normally, and if the email meets the conditions of the policy, the expiration date will be invoked.


From the perspective of the recipient, after the message is sent, they would see the branded template with the expiration date. Once the encrypted email has expired, the email will no longer be accessible through the Office 365 web portal.


expiration recipient.png


Revoke access to encrypted emails


For organizations that collaborate and share sensitive emails with external recipients, we are also enabling the ability to revoke encrypted emails accessed through the Office 365 web portal.


Whether it’s due to malicious attack, accidental sharing of encrypted emails, or changes in who is authorized to view encrypted emails, admins can now go into the encryption report to find encrypted emails and revoke access through a new UI experience  inside the Office 365 Security and Compliance Center.

Revocation_5_Updated with names.png


Once the message is revoked, the external recipient  no longer access the sensitive email through the Office 365 web portal.




Get started

Advanced Message Encryption is rolling out and will be available in eligible tenants by the end of May. Get started by leveraging the resources such as support documentation and interactive labs provided below. 


Note, you must set up Office 365 Message Encryption to leverage Advanced Message Encryption capabilities, which provide added protection on top of encrypted messages shared externally. If you do not have Office 365 Message Encryption learn how to set it up here.


Office 365 Advanced Message Encryption requires an Office 365 E5 subscription or an Office 365 E3 subscription with the E5 Compliance add-on or Advanced Compliance add-on. If you don't have that plan and want to try Advanced Message Encryption, you can sign up for a trial of Office 365 Enterprise E5.





Interactive guide: Enhance protection with Advanced Message Encryption in Office 365


Regular Visitor

Sounds great. 


Does e-discovery work across all encrypted email content now? (Previously it was unable to discover items in attachments sent with a reply to an o365 encrypted email)

Super Contributor

Not surprised to see E5 price tag on this, but surprised it still has to be done via PowerShell.

it is surprising that this functionality on e-mail comes with additional license requirements because AIP P1, which is part of EMS E3 offers revoke and expiration OOB or can we expect that this will also be E5 in the near future?

While the expiration feature is nice, I'd like to see the ability for an individual user to set any expiration date on any message they send. Gmail has this and its very useful.  Also, message revocation should be available in the Message Trace GUI.

Occasional Contributor

@Caroline Shin Thanks for the updates above. These are good capabilities to add. In terms of this line, "From the perspective of the recipient, after the message is sent, they would see the branded template with the expiration date." - can you please confirm if the recipient is advised of the expiration date on receipt by design (e.g., "This message will expire in 30 days."), or if they will only know about expiration when they try to access an encrypted message after the expiration date?

Occasional Contributor

@Caroline Shin A second question on expiration - you have noted that a user accessing the encrypted message through the Office 365 web portal will be unable to access the message after expiration, but what about an external Office 365 subscriber with in-line decryption in Outlook? Although I think the design idea in September last year was that branded templates was about B2C interactions, and the organization could enforce the use of the portal, thereby side-stepping the use of Outlook inline. Is that still where you're aiming?

Super Contributor

On the roadmap items released yesterday it says that both expiration and revocation will only work with messages received as links, won't work for messages received inline in Outlook. You should be able to force messages go out as link to all recipients in template settings.


@Michael Sampson Thanks for your questions! The recipient will see the expiration date once they receive the message in the email template -this should inform them when the message will be expired. Then once the date has passed and the recipient tries to open the expired and encrypted message, after clicking on the link 'read message', they will get a message that it has been expired. As for your second question, today, to expire/revoke a message for an external O365 user (B2B) you will need to force a template with a link-based experience, which to your point means that the external O365 user will not get an inline experience. 


@Andy David @Oleg K Great feedback - will take this back to the team. 

Occasional Visitor

How about shared mailboxes, are they still excluded from the OME? It does not appear difficult to take one further step of verifying permission withwone's own credentials to use the shared mailbox to gain access to the OME message.

Occasional Visitor

Pls add a printing option to the OME.