Home
Microsoft

Encrypt only rolling out starting today in Office 365 Message Encryption

Last September, we announced new capabilities in Office 365 Message Encryption that enable users to seamlessly collaborate on protected emails with anyone. This release included Do Not Forward an out-of-the-box policy that encrypts emails and Office attachments, and restricts the content and email from being forwarded, printed or copied.

 

Today, we are happy to share that we are releasing another out-of-the-box policy called encrypt only. With the encrypt-only policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. That means recipients can copy, print and forward the email, and encryption will not be removed. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails.

 

This is valuable for organizations that want persistent encryption, but do not want to add additional restrictions. For example, a doctor looking to protect an email containing sensitive personal information, can apply the encrypt-only policy, and the patient receiving the email can easily consume the protected message regardless of their email provider, and forward that email to another trusted party.  

 

With this new, flexible policy, users and admins can apply different levels of protection to best fit their data protection needs. 

 

Read more to understand what the encrypt-only policy looks like and how to apply the policy.  

 

How the encrypt-only policy works

The encrypt-only policy is an out-of-the box policy that can be used without additional configuration, and as the name suggests, only applies encryption to the email. You can apply the policy through end-user controls in Outlook or through automatic admin managed controls in the Exchange admin center. Users can apply this policy to individual emails through end-user controls in Outlook, and Admins can apply this policy automatically to any email that matches the set criteria through admin-managed controls in the Exchange admin center.

 

Customers that have enabled the new Office 365 Message Encryption capabilities will see the encrypt-only policy first through Outlook on the web and in the Exchange admin center under mail flow rules. Updates to Outlook for Windows and Outlook for Mac are planned for the coming months.

 

How to send an email with the encrypt-only policy in Outlook on the web

Users can apply protection with the encrypt-only policy by clicking on the protect button and changing the permissions to just encrypt. While the other options encrypt the message, the encrypt option will apply the encrypt-only policy to the message, therefore enabling recipients to forward, copy and print the message.

 

Applying this option will offer added flexibility for recipients to share the email with other trusted parties while encryption continues to persist and throughout the lifecycle of the email.

  outlook on the web with permissions drop down.pngIn Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.  Outlook on the web client view with encrypt only policy applied.pngOnce the encrypt-only policy is applied, the user will see a notification that encryption has been applied.

How to apply the encrypt-only policy through Exchange mail flow rules

As an administrator, you can apply the encrypt-only policy automatically to emails that meet certain conditions by creating a mail flow rule. When you do this, email affected by the encrypt-only policy is encrypted in transport by Office 365.

 

For instructions on creating a mail flow rule that employs the encrypt-only policy, see define mail flow rules to encrypt email messages in Office 365

 mail flow rule with encrypt only policy.pngYou as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.

  

How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.

 

Outlook mobile with encrypt only policy applied.jpgUsers can read the encrypted message natively directly in Outlook on the web and Outlook mobile.

 

The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.

 

How to read encrypt-only emails for non-Office 365 users (on-prem, Gmail, and Outlook.com users)

Non-Office 365 users, receive an html mail with an rpmsg_v4 attachment. Once they click Read Message they are redirected to the Office 365 Message Encryption portal where they can reply, forward, print, or take other allowed actions. More information can be found in this article.

 

Get started!

The new encrypt-only policy rolls out starting today as part of Office 365 Message Encryption.

 

Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on -you can find the full list of where Office 365 Message Encryption is offered here.

 

Please let us know what you think here or give us your feedback on uservoice

 

 

137 Comments
Microsoft

To get started with OME, see https://aka.ms/EnableOME. 

Regular Visitor

I am using Office 365 E3 - when should this show up in outlook on the web and/or mail flow rules for my company?  Is this live now, or will it be days/weeks before we see it?

Microsoft

@Kevin Caldwell the feature is rolling out to tenants starting today. Most customers should see this live within their tenant in the coming weeks. 

Awesome news, and awesome set of announcements today, keep it up folks :)

This is critical to us moving to this platform.

Hopefully the desktop client will be sooner rather than later.

 

Thanks for the update.

Visitor

We changed our tenant for early releases but still have not seen this option. Is there any other way to force this update? "Coming weeks" is a very broad term. Support had us migrate our rules to the new v2 but failed to mention the limitations. This is after we send out the new guide.

Microsoft

@Vasil Michev Thanks for your support! 

 

@Michael Nordstrom Thanks for your feedback! Once we have a solid date we plan to post to Office Roadmap. 

 

@Geoff Hall Thanks for your feedback and patience. We can't force the update but the roll out should be completed relatively soon. We are conscious that this is an important release so trying to get this out as soon as possible. 

New Contributor

Great News!!

This is really important feature for Government Agency’s and municipals in Sweden. Thanks for solving this challenge.

 

How do I know it is rolled out? Do I need to enable anything on my Tenant?

 

Is it reallly not possible to auto-decrypt via the Outlook Client and RPMS-file from the beginning? That will be a huge step for us to teach users to use the HTML-mail first.

 

Best Reg. Magnus

Visitor

Hi, will subscriptions in Azure Gov be receiving this feature in this roll out as well?  Will we be notified when this takes place, or will it just show up as an option one day?  Thank you kindly.  

Occasional Visitor

In the old version of OME we could set a transport rule to decrypt incoming emails. Is there a similar function available for this? We really like the functionality but not having native reading out Outlook is a major issue. 

 

If I look at our existing transport rules I see there is a setting RemoveOMEv2, which I assume relates to this but I am unable to set it. Is this coming in the future? 

 

Thanks,

 

Michael

Microsoft

Native reading in Outlook Win32 is coming soonish. We are currently dogfooding it.

Senior Member

@Caroline Shin@Salah Ahmed - We are looking for this feature (having Encrypt-Only) from a long time, we are very happy that MS has finally came up with a solution which most of the organizations are looking for. But before we go and demonstrate the capability of this new feature to our Business/Customers we would like to see the functionality of this feature in test tenants and then build confidence to move it to production.

 

Could you please let me know when this feature will be updated to present test tenants and if I create a new one will it reflect to that?

 

Thanks in Advance!

Microsoft

@Magnus Ericsson Thanks! That's great to hear. Once the roll out is complete we will send out a note through the Message Center. WRT to if you need to enable anything - do check out the article here https://aka.ms/enableome under 'who can use the capabilities' and 'steps to set up the new capabilities'. WRT your other question we are working on it :)! 

 

@Ryan McCall For gov, Office 365 Message Encryption is offered through Office 365 US Government G3. 

 

@Michael Frank Salah just responded to your question - but in short it's coming. Thanks for your patience and we will keep you posted through the TechCommunity blogs once this is available. 

 

@Vamsi Krishna Gunta Thanks Vamsi! Once the roll out is complete we will send a message through the message center. 

Occasional Visitor

I'm curious what changed since the rollout started. Using the new version of OME now attaches a .rpmsg file that cannot be opened. What happened to just using and html file?

Microsoft

Jared, the Encrypt-only mail will be readable in Outlook Win32, which is why  the rpmsg is required. 

Microsoft

Encrypt-only should be available worldwide now!

Microsoft

Encrypt-only is now available in Outlook Desktop Win32 for Insider ring. To opt-in to the Insider ring, see https://products.office.com/en-us/office-insider?tab=Windows-Desktop. 

Regular Visitor

Can we make the encrypt only setting default in Outlook Online when clicking Protect? 

Occasional Visitor

Great news! We have been waiting for something like this since we moved to 365!

 

@Salah Ahmed / @Caroline Shin Will the non 365 version of office 2016 (the volume licence version or whatever it's called) have the in-client reading & encrypt only policy apply functionality as well? or is it just the 365 pro plus version??

 

Also if we set the exchange admin centre to apply this as a mail transport rule, will the user be notified before its sent??

 

Can you ensure someone updates the deployment guides in the admin centre? As they still show setting up this service in the old azure portal, which does not work anymore. Plus this feature isn't mentioned, which would help a lot of people get using it.

 

Glad to see this product is being polished :) Sorry for all the questions

 

thanks

 

luke 

 

 

Senior Member

How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.

 

The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.

Beware!  If the Office 365 recipient is a shared mailbox, connected to users via Outlook desktop, the email will not be able to be opened.

Which consumer domains that are able to read protected messages ?

I tested gmail.com, outlook.com and yahoo.com - they do work.

Where is the full list ?

Microsoft

We support the one-time passcode option for all email providers.

New Contributor

@Caroline Shin Do you have instructions for current OME users to enable the new Encrypt Only option?  We see the Do Not Forward option in Outlook Online but not the Encrypt Only.

Microsoft

Bob, are you saying that you cannot see the new Encrypt only option in OWA? Can you see the Protect button? Please send me a mail at saah@microsoft.com.

@Salah Ahmed

Please post a list of consumer services that do NOT require one time password.

For the ones I mentioned (gmail.com, outlook.com, yahoo.com) you sign-in with the account itself - not one time password.

Microsoft

Encrypt-only is available in Outlook Desktop through Insider Ring (instructions). Has anyone tried it out yet? What do you think?

New Contributor

Great news, Thanks MS !

My goal yet is to create a new label in AIP, available in Outlook, with the Encrypt-Only protection.

The idea is to have the same experience that we have with the DNF protection but without the Encrypt-Only protection.

Do you know how to do that? Or when the feature will be available in our AIP admin portal?

BR

Fred

New Contributor

Is that means this feature is available without the need of Azure Information Protection Plan?

Contributor

Will we be able to administer encrypt-only transport rules?

Microsoft

@Andrew Woo If you have Office 365 E3 and E5 the new OME capabilities will be available for you. For more context, the protection (formerly known as rights management services) feature in Azure Information Protection is included in the Office 365 E3 and E5 plans- so you don't need additional AIP plans to receive this capability.  

 

@Jordan Moore yes they can! Please go here for details and instructions. 

Contributor

If multiple recipients are on the To: line and you apply encrypt only, do each of the recipients have access to decrypt the email?

 

Would you run into a problem if you sent an encrypted email to a distribution group?

 

Thanks!

Microsoft

@Jordan Moore Thanks for your question. Each of the recipients would be able to access and decrypt the mail. Most people are concerned about external users being able to easily decrypt the mail, in this case they would authenticate using their Google, Yahoo or Microsoft identities - or use One Time Passcode. There are no issues with sending encrypted mails to a distribution group. 

Microsoft

@Stefan Nordkamp Thanks for the feedback! Do submit this to https://office365.uservoice.com/

Visitor

Did something change? Yesterday our "encrypt only" broke. End users are now being asked to sign in when they open any office attachments. Some how RMS is being attached the the document as well? This is after we transitioned our users from OMEv1 to OME2.  For our need we just need to encrypt the message in transit, once the user has access to the email or attachments, we shift the burden to them.

New Contributor

Hi! We have started to evaluate Encrypt only for some government Customers. I was under the impression that once you decrypt a email or a Office document you have full controll. That was how I believe it worked in preview version.

Now when it is released I ser that a receipient cannot remove the protection. This is really bad for all government agencies that has legal requirements to journal and long term store information from other agencies. They cannot use do not forward because it is too restricted and not Encrypt only because the receiver cannot remove the protection after decrypted the message. 

 

Please help! 

 

 

 

Microsoft

@Geoff Hall Thanks for reaching out- we are actively looking into this. If it applies to the broader community we will post an update here otherwise we will follow up with you directly. 

Visitor

@Caroline Shin I hope so, as we are actively having issues :) Like I said,it worked FINE before then some change was made that broke it. This is the 2nd time we were advised by MS to make a change that ended up breaking mail flow for our users.

Microsoft

Hi Geoff, Magnus,

Encrypt-only encrypts the attachments as well as the mail. I apologize if this wasn't clear before. This is different from OMEv1, where the attachment is decrypted as soon as the recipient downloads them.

If your requirement is for attachments to be decrypted, the only workaround is OMEv1 for now. However, we are working on a setting where the tenant will be able to choose to decrypt attachments for Encrypt-only, just like in OMEv1. No eta yet but coming soon.

 

 

 

 

Visitor

@Salah Ahmed

We were advised to move to OMEv2 (by support), we did. We did user training. Then we found out that the DNF policy was attached to attachments as well. So we moved back to OMEv1. Then you told us "Encrypt Only" was coming soon, so we told users to hold off. Our tenant was updated to support Encrypt Only. We tested for days to make sure it worked properly. We started using it, without issue. We were happy, life was good. This week we noticed that RMS was being attached to attachments. This completely broke our mail flow. Now I'm being told revert to OMEv1. Can you see my frustration here? You've updated/upgraded but removed key features. 

New Contributor

@Salah Ahmed This is a deal breaker for us as well.  We are looking at Encrypt Only to provide the encryption in transit and stop once the recipient is validated upon login.  Is MS asking clients what features they are looking for or shooting from the hip with add/removing features?  Locking down the attachment is more applicable to Do Not Forward versus Encrypt Only.

Microsoft

Hi Geoff, Bob, we built attachments encryption per strong customer demand. However, it has become obvious recently that there is also a use case for not encrypting attachments, which is why we are building that feature too. Stay tuned.

Senior Member

@Salah Ahmed MS has never mentioned that the attachments will get RMS rights (DNF) if an email with attachment sent using Encrypt Only feature. It is resembling like just a name change for the existing DNF option. And the workaround you mentioned to use OMEv1 will not fit in our requirements as the email will get delivered as an attachment even if the recipient is on O365.

Regular Visitor

Is there a set date for viewing OMEv2 encrypted emails in the outlook client? We just recently moved to O365 and have to direct users to log into the web version to view responses for encrypted emails. Due to our organization just moving to O365, OMEv1 isn't supported according to this article

 

Visitor

@Salah Ahmed

With all due respect "coming soon" and "stay tuned" are not acceptable answers to my superiors. Especially after I've given them a demonstration of how it work and provided viable solution to our encryption needs.  "Encrypt Only" was working fine, now it essentially "Do Not Forward" as far as usefulness to us. Support told us that if the end user signs up for a Microsoft account with there email address then it would work. So, basically you want me to tell everyone I email to get an account. I might as well just give them an account on our tenant. This solution is pretty much broken for us now. We need true "Encrypt Only", and we need it sooner than later, and we need a date. I'm not like i'm asking you to invent a new solution, I simply want was was working a week ago!  I'm not the only one asking. Thanks

Microsoft

We haven’t changed the behavior of Encrypt-only since release. It has always applied Encryption to Office attachments. 

Having said this, the ability to remove encryption from attachments is also being built. 

Microsoft

Has anyone tried out Encrypt-only on Outlook Windows yet? It is available through the Insider ring: https://products.office.com/en-us/office-insider?tab=Windows-Desktop. If you have tried it, please send feedback to saah@microsoft.com. 

Senior Member

@Salah Ahmed

I prefer the way Outlook currently handles the email messages, with the link to Read the message.  It is of MUCH higher importance that the Encrypt only label not apply rights management to the attachments.

New Contributor

@Salah Ahmed we really like the idea with "encrypt Only" but would like you to implement the possibility to remove the protection both from the email and the attachments in one Go.

 

If a trusted receipient received an encrypted email with attachments and the receipient successfully decrypt the message it is important that they can store the email and the attachments without the encryptions still there. A lot of goverment agencys has rules to journal and long term store incomming emails from other agencies or cititzens. It is not a good idea to store a rmpmsg file or a rms-proteced office file in a long term archive. Then only the original receipient can read it and they might also stopped work for the agency.

 

Please advise.

 

Best Reg and thanks for your support!

 

//Magnus

Microsoft

2 announcements:

- If you are interested in the preview of the feature that allows download of attachments decrypted from the OME portal, please reach out to me at saah@microsoft.com.

[Edited] - Inline support for Encrypt-only may be available in the Outlook desktop April monthly build. Once available, it will be published on the Office clients page (look for Outlook & Monthly updates): https://technet.microsoft.com/en-us/office/mt465751.aspx?f=255

 

 

Occasional Visitor

Hi,

I want to try Encrypt Only in Outlook 32 desktop app but I don't know how to add it.

My build is 1805 (9307.2004) the lastest available in insider I guess.

Do we still need to use AIP client, it seems to be disabled, do I need to use a specific version?

Thanks for your help