Home
Microsoft

Email Encryption and Rights Protection

 

Announcing new capabilities available in Office 365 Message Encryption

 

 

As part of our integrated information protection investments we are releasing rich new capabilities in Office 365 Message Encryption that protect and control your sensitive emails. These enhancements are aimed squarely at helping you better safeguard your sensitive email communications without hampering the ability for your users to be productive and to easily collaborate with those inside or outside of your organization.

 

At a high-level, the new enhancements include:

 

  • Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.
  • Enabling non-Office 365 recipients of protected emails to read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Additionally, Office 365 Message Encryption will support customer-managed keys, to help meet their compliance needs.

Please read below to understand more detail on what we are delivering and how you can get started.  

 

What’s New

 

Helping you lower the risk of accidental or malicious data loss by making it easier for your users to protect and read sensitive emails.

In the previous version of Office 365 Message Encryption, users could encrypt their messages by using certain keywords in the subject line or in the body of the message. While this is a powerful feature for organizations to automatically encrypt sensitive emails, it presented a hurdle for end users that wanted to send ad-hoc encrypted messages.

 

Today, in addition to the automatic policies that can be set by administrators, we are empowering end users to encrypt and rights protect sensitive messages using the default ad hoc policy “Do Not Forward”, as well as other custom policies. End users can now apply encryption and rights protection from Outlook in a few clicks.

 

Picture1.png

 Example of an email being protected in the Outlook rich client.

 

Another area we’re investing in to protect sensitive data, is the ability to rights protect messages that are shared outside the organization for B2B and B2C scenarios.

 

Until recently, you could use Office 365 Message Encryption to send protected email to external recipients, but Office 365 Message Encryption presented a very different experience from Information Rights Management (IRM). In the new Office 365 Message Encryption, we are extending the feature to include the best of IRM, with the added benefit for the sender to not need to worry about anything before clicking Send. For example, we are eliminating complexity by removing the need to establish explicit trusts between organizations. Now users can easily send encrypted and rights protected messages to anyone inside and outside the organization. Additionally, this protection will be applied to the Office 365 document(s) attached to the message.

 

This makes it possible to not only protect sensitive data from being read by unintended audiences, but it also allows you to set usage rights, such as preventing the message from being forwarded, copied or printed.

 

 

Picture2.png Example of a protected email with an Office attachment that also has been protected.

 

Lastly, to further enable users to collaborate securely on protected emails, Office 365 users can get a seamless reading experience on any device if they are using Outlook (desktop, Mac, web, iOS or Android mobile). For those users who do not choose to use the Outlook app, we are also adding the ability for you—as IT—to enable other Exchange ActiveSync (EAS) mobile email clients, like the native Mail app on iOS, to receive and respond to protected emails.

 

Picture4.png

 Example of reading and sending a protected message from Outlook app on iOS.

 

Ensuring that recipients of protected emails can read and respond with ease, regardless of the device, app, service, or identity they use to receive their email.

Another investment we made was to enable users to read a protected message regardless of their email provider. Previously, Office 365 Message Encryption recipients had to read encrypted message with a Microsoft Account or a One-time Passcode.

 

Today, Gmail and Yahoo recipients can easily authenticate using their Google or Yahoo identity and sign in to a limited-time web view that allows them to read and collaborate on protected emails.

 Picture2.png

 Example of the sign-in with Google page, where recipient can use their Google identity to read protected message in limited-time web-view.

 

Customers using less popular email providers can continue to use a Microsoft Account or a One-time Passcode.

 

Support for customer-managed keys

Regulated customers have expressed their provide customer-managed keys to the Microsoft cloud and having the ability to protect their mails using these keys. Exchange Online now supports a customer-managed tenant key for Azure Information Protection. Read here to understand how to set this up in Azure Key Vault.

 

How can I get this?

 

The new message protection capabilities is offered in Office 365 E3 and above for commercial customers and Office 365 A1 and above for EDU customers. We also offer this in several other plans with the appropriate add-ons - please refer to this table for more detail. 

 

Get Started Today!

 

Customers should get started on these new capabilities that are available today! Please see resources below that can help you get started:

 

  1. Watch the session delivered at Ignite: BRK2203 Protect and control your sensitive emails with new Office365 Message Encryption capa...
  1. Attend the webinar that will talk through the new capabilities in more detail.
  2. Review set up guidance on support.office.com.

 

As we continue to invest in and deliver on more information protection capabilities, we would love to hear your feedback –engage with us here on the TechCommunity.

 

Thank you!

 

Caroline Shin

 

 

32 Comments
Occasional Visitor

Great news Caroline.  Thank you for the update.  The immediate thought is the implication for av and malware scanning.  Has there been any consideration for this?

 

Contributor

Broken link in the support.office.com article, should redirect here: https://support.office.com/en-us/article/2baf3ac7-12db-40a4-8af7-1852204b4b67

Regular Visitor

How long before existing users of OME & IRM are able to use the new features?

Microsoft

@Anikke Bukowski Thanks! Office 365 Message Encryption should not impact the anti-spam and anti-malware services in Exchange Online. Encrypted mails without attachments sent through Exchange Online can process the mail and attachment to provide value added services such as journaling, anti-malware scanning, indexing, content detection (DLP) process these mail & attachment.  

 

@Paul Youngberg Thanks for flagging - we updated this to the right link. 

 

@Bob Fink it seems some of our old guidance wasn't updated. Actually, existing IRM/OME customers can also onboard to the new msipc based stack by simply running the cmdlets provided. Check out the documentation for the cmdlets. This updated guidance should be updated in the link above shortly if not already.  

Regular Visitor

@Caroline Shin that worked! How do we setup a policy similar to Do Not Forward that it can apply to any recipients, but we want it to only encrypt the email?  Would simply like to take advantage of the federation to the other providers for email encryption while not needing to restrict forwarding, copying, etc.  Seems that if we use an IRM template, the receipients have to be predefined and the only other option is to use DNF, which is too restrictive for our use.  

 

Thanks!

Microsoft

@Bob Fink Great to hear! WRT an encrypt only policy, right now we only support DNF (Do not forward) and custom templates but we plan to enable encrypt only in the coming months. Look for the update here on the TechCommunity. 

Senior Member

@Caroline Shin Few questions if possible.

 

  1. How does this compare to OME as in, once the custom template function will allow the option for Encrypt Only, will this be considered a full replacement for the current 365OME – and use the same measures SHA256 etc (the user experience will be better! – but people will react to the change and assume it is less secure than the encryption portal you previously had to read messages in.) – I see the release for Encrypt Only in a template as you stated above is the coming months, does this have a roadmap ID?

  2. The Protect button in Outlook – there were two shown in the video, one was from installing the AIP Client (blue padlock) and the other one shown in the screenshot at 31:27 – this is for a pre-release build it would appear, again does this have an rough expected release date and is it expected to be replacing the “Permission” button within Outlook?


  3. Is there a plan to add the ability to send Protected messages from the mobile app?

  4. Do you have a rough timeframe on HIPAA compliance?
Microsoft

@Ben Harris thanks for your questions - let me answer a few here:

 

1. You are correct. Once we enable 'encrypt only' it will be considered at feature parity (plus more) to the previous version of Office 365 Message Encryption. You can find details of the encryption standards used here. You should see the 'encrypt only' in the public roadmap very soon. 

 

2. We plan on simplifying the Outlook experience to align with the actions that end users need to take to protect the email. The goal is to make this experience seamless and easy - like the way it is in Outlook web experience. We are actively working on this and will share a date when ready. 

 

3. That's great feedback. Will share back with the team. If you have any other feedback do not hesitate to add them here: https://office365.uservoice.com/forums/289138-office-365-security-compliance 

 

4. Not at this time but it's something that's top of mind for us. 

New Contributor

@Caroline Shin Hey great article and information.

 

With regards to the old version of OME will that be deprecated in tenants if you are already using OME as we have built a solution using message classifications to trigger transport rules and we only want to encrypt. The DNF option currently doesn’t fit our organisations workflow.

 

But the introduction of this into AIP is brilliant.

 

one thing that I noticed was that we use one label to classify sensitive information. I tried to recreate this using AIP in a test tenant and the template would not show up in exchange for use in transport rules for use with DLP etc.

 

would adding the requirement for encrypt only template be an idea to put in the user voice platform or is it already in scope for development. 

 

 

 

New Contributor

Is there any information on customizing the color/images for the new experience? I can only find the old options: https://support.office.com/en-us/article/Add-your-organization-s-brand-to-your-encrypted-messages-7a...

 

Figured it out: 

Set-OMEConfiguration -Identity "OME Configuration" -BackgroundColor "#f26522"

And re-load the image (if it was already set, which it was for our tenant)
Set-OMEConfiguration -Identity “OME configuration” -Image (Get-Content "C:\PathToImage.png” –Encoding byte)

Microsoft

@Dominic Applegate Thanks! The legacy OME will still be supported until we provide the 'encrypt only' capability. With that said please do add to user voice - it always helps. WRT your other question this is more of an AIP/DLP question and this is a bit out of my scope - we are planning to do an Ask Me Anything with experts who can answer this - recommend attending to ask this and any other question you may have. https://techcommunity.microsoft.com/t5/Office-365-Encryption-AMA/Announcing-the-Office-365-Encryptio...

 

@Derek Gabriel Currently, custom templates is not offered with the new Office 365 Message Encryption capabilities. It is on the roadmap. 

Super Contributor

Great Feature. Thanks for the heads-up.

Contributor

Thanks @Caroline Shin, great article.

As a very small business, we currently only use Business Essentials and Business Premium, but we deal with some very sensitive client information which we should be sharing using encryption.  Unfortunately, from everything I've read and the sales people I've spoken to at MS, data protection offerings such as the ones you've outlined here are geared towards big business / enterprises.  What would you recommend for small businesses, who work under exactly the same data protection laws as major enterprise organisations, with regards encrypting emails and so on?  The key for us is to keep it all as hosted, online solutions as part of O365 as we do not have our own IT department or infrastructure.

Really hoping you can help as despite lots of research I've not yet been able to come up with a workable, affordable solution.

Many thanks in advance, Oz

Occasional Contributor

@Caroline Shin, is this going to be available to Office 365 A1 too?

Occasional Visitor

@Caroline ShinGreat news on additional features! Now, as a MS Partner, maybe we can almost compete w/other solutions like ZixMail.  However, I have a question - encryption is part of the Azure Information Protection, correct? If so, will anyone who has this add-on be able to use these new features or only E1 or E3?

For example, I have many customers with Exchange Online + Azure Information Protection P1 who are used to adding "[secure]" to the e-mail subject but it would be so much easier to simply click a button!

 

Thanks!

Occasional Visitor

Although not the most seamless approach, will there ever be an option to have the receiver enter a password or pin to view an email (perhaps within Outlook only).  I have tested these, and I did not find this very secure from the standpoint of a compromised Gmail or Yahoo account.  It still seems that passing a key/pin/password/etc. to the user through an alternate means is still way more secure, simple, and trusted than what is described here.  I am mainly concerned with sending emails to external accounts, not so much within an enterprise, which the solution in this article addresses very well. 

New Contributor

I'm in the same boat as Oz and others.  We are in a mixed environment of Business Essentials and Business Premium with Azure Information Protection Plan 1 added to each account for DLP and encryption.  Will this be available to us?  The price jump is basically doubling our monthly expenditure if we move up to E3.  

 

Thank you.

@Caroline Shin,  How does this affect the ability to conduct eDiscovery searches for keywords in messages? Occasionally customers have trouble locating a message that they have received or sent or maybe deleted and can only remember vague details, or we may be searching for messages that need a legalhold action based on content. My understanding is if a message is encrypted, the content will not be searchable unless the eDiscovery admin has access to the encryption keys (?)


Occasional Visitor

As the encryption protocols are important for law firms seeking to both secure and locate data, I'd agree that Tony's query is an important and interesting line of thought.  Looking forward to seeing the evolution of this important project.

Microsoft

@Oz Oscroft @Mark Nealley Thanks Oz, Mark. Agree encryption is business critical for businesses of all sizes. We do offer Office 365 Message Encryption outside of our enterprise SKUs. Check out this table here. For example you can see that we even offer OME for frontline workers (kiosk) but you'll need to add-on AIP P1 and if you want the Outlook desktop experience - you also need Office Pro Plus. 

 

@Magnus Andersson Yes! This is offered as part of Office 365 A1 and above. Note that in A1 it doesn't include Office Pro Plus so you only get the Outlook web experience. 

 

@Jason Martin that's great to hear! Here is the full table of where OME is offered - outside of EDU. 

Microsoft

@Mark Arnet we do enable recipients to sign in via One-time passcode and that passcode would expire after 15min but the passcode would be send to their Gmail/Yahoo account. While not seamless experience you *might* be able to enforce the recipient to access the protected message through Outlook.com/Microsoft Account only @Salah Ahmed to confirm. 

 

@Tony Richardson @Matt Nakachi Whether you rely Microsoft managed encryption keys or provide your own through BYOK with AIP, you continue to get the value added features in Office 365 such as eDiscovery, search, or even anti-malware/spam services. I recommend watching this webinar on why this is the possible and some common misperceptions in SaaS encryption. Do reach out if you're still unclear or have feedback on further content to clarify. 

I set this up in my tenant, but when we use the templates to send an email outside the organization, the recipient cannot read the contents of the email.  It says "You do not have permission to view this message".  I looked in the Azure portal to see if there was something I need to change, but I don't see it.

Occasional Contributor

@Caroline Shin, thanks for the info. We have Office 365 A1 Plus so we are ok with the ProPlus part :-)

Microsoft

@Robyn Edwards which template are you using? Confidential and Highly Confidential are internal only templates. Do Not Forward works for both internal and external users. You can also create custom templates https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates. 

Microsoft

@Derek Gabriel you can find customization instructions in this document aka.ms/OMEBranding

New Contributor

@Salah Ahmedone thing to note that I haven't seen in the documentation; if you already had a logo previously setup you have to redo the configuration to get it to show up in all areas of the new experience.

Occasional Visitor

Nice features! Now we can maybe finally start using OME at our customers!

Please make possibility to copy "Do not forward" policy, i cannot figure how to create this from Azure right now...

We want to create custom policy without "copy&print" restrictions, only to encrypt outside email when users wants it, from Outlook.    

Microsoft

@Ilpo Luodes thanks! We plan to enable the 'encrypt only' policy in the near future- refer to the Office Roadmap for the latest date. WRT your second question we will look into this. 

Occasional Visitor
There's no mention of how to configure custom templates when dealing with external non office 365 users. The "Do Not Forward" policy is nice, but we need a shorter expiration and no offline access. Is there any way to setup a template with a dynamic list of authorized users for use with external recipients?
Microsoft
Occasional Visitor
that URL doesn't work.