Home
Microsoft

Last September, we announced new capabilities in Office 365 Message Encryption that enable users to seamlessly collaborate on protected emails with anyone. This release included Do Not Forward an out-of-the-box policy that encrypts emails and Office attachments, and restricts the content and email from being forwarded, printed or copied.

 

Today, we are happy to share that we are releasing another out-of-the-box policy called encrypt only. With the encrypt-only policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. That means recipients can copy, print and forward the email, and encryption will not be removed. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails.

 

This is valuable for organizations that want persistent encryption, but do not want to add additional restrictions. For example, a doctor looking to protect an email containing sensitive personal information, can apply the encrypt-only policy, and the patient receiving the email can easily consume the protected message regardless of their email provider, and forward that email to another trusted party.  

 

With this new, flexible policy, users and admins can apply different levels of protection to best fit their data protection needs. 

 

Read more to understand what the encrypt-only policy looks like and how to apply the policy.  

 

How the encrypt-only policy works

The encrypt-only policy is an out-of-the box policy that can be used without additional configuration, and as the name suggests, only applies encryption to the email. You can apply the policy through end-user controls in Outlook or through automatic admin managed controls in the Exchange admin center. Users can apply this policy to individual emails through end-user controls in Outlook, and Admins can apply this policy automatically to any email that matches the set criteria through admin-managed controls in the Exchange admin center.

 

Customers that have enabled the new Office 365 Message Encryption capabilities will see the encrypt-only policy first through Outlook on the web and in the Exchange admin center under mail flow rules. Updates to Outlook for Windows and Outlook for Mac are planned for the coming months.

 

How to send an email with the encrypt-only policy in Outlook on the web

Users can apply protection with the encrypt-only policy by clicking on the protect button and changing the permissions to just encrypt. While the other options encrypt the message, the encrypt option will apply the encrypt-only policy to the message, therefore enabling recipients to forward, copy and print the message.

 

Applying this option will offer added flexibility for recipients to share the email with other trusted parties while encryption continues to persist and throughout the lifecycle of the email.

  outlook on the web with permissions drop down.pngIn Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.  Outlook on the web client view with encrypt only policy applied.pngOnce the encrypt-only policy is applied, the user will see a notification that encryption has been applied.

How to apply the encrypt-only policy through Exchange mail flow rules

As an administrator, you can apply the encrypt-only policy automatically to emails that meet certain conditions by creating a mail flow rule. When you do this, email affected by the encrypt-only policy is encrypted in transport by Office 365.

 

For instructions on creating a mail flow rule that employs the encrypt-only policy, see define mail flow rules to encrypt email messages in Office 365

 mail flow rule with encrypt only policy.pngYou as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.

  

How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.

 

Outlook mobile with encrypt only policy applied.jpgUsers can read the encrypted message natively directly in Outlook on the web and Outlook mobile.

 

The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.

 

How to read encrypt-only emails for non-Office 365 users (on-prem, Gmail, and Outlook.com users)

Non-Office 365 users, receive an html mail with an rpmsg_v4 attachment. Once they click Read Message they are redirected to the Office 365 Message Encryption portal where they can reply, forward, print, or take other allowed actions. More information can be found in this article.

 

Get started!

The new encrypt-only policy rolls out starting today as part of Office 365 Message Encryption.

 

Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on -you can find the full list of where Office 365 Message Encryption is offered here.

 

Please let us know what you think here or give us your feedback on uservoice

 

 

192 Comments
Senior Member

I have created multiple transport rules where various conditions trigger actions to encrypt messages using the Encrypt Only RMS template.  I tested from the customer's O365 tenant by sending messages to gmail.com, outlook.com and comcast.net and my own company's email address.

 

When I send to Comcast.net I am able to "Read the message" by authenticating using Sign in with a one-time passcode".

When sending to Outlook.com I am able to "Read the message" after authenticating using either "Sign into Microsoft" or "Sign in with one-time passcode".

When sending to Gmail.com I am able to "Read the message" after authenticating using either "Sign into Google" or "Sign in with one-time passcode".

 

When I send to my company email address I CANNOT "Read the message" even after be redirected to O365 and using my work account. I tried reading the message directly from Outlook on the Web but no luck.  I assumed this would work.  What am I missing?

Occasional Visitor

Sorry if this was already asked, but is it on the roadmap for the configuration of encryption policies to be moved from transport rules to the security & compliance center?  Our customers that need this feature have security and compliance folks that need to set this and report on it outside of exchange administrators interaction.

 

Thanks,
Ed

Occasional Contributor

Hi all.

 

A quick question. Most of our customers are using the Office 365 Business Premium subscription, will the "Permission Button" be appearing in this version of the desktop Outlook or just on the Office Enterprise E3 version?

 

To be clear, once I've enabled OME via PowerShell they see the protect button on OWA so all good there. But they're going to want to use the Outlook client so I just wanted to be clear if the Permission Button is due to roll out to the Business Premium subscription of outlook or I have to upgrade them to E3.

 

Thanks in advance.

 

Ian.

 

Contributor

I keep reading about the Desktop client of Outlook 32 bit being able to use Encrypt Only protection coming soon, already active in the Office Insider track.

Will it (Encrypt Only) also be available in the 64 bit version of Outlook 2016 or will I have to downgrade my workforce?  Users are also finding it cumbersome to start the message in OWA and apply the protection setting and then continue editing in the desktop client. I am not finding any reference in the Office Roadmap or the Monthly Release notes.

Microsoft

Thanks for the questions folks. My expertise lies on the backend side but I can try to answer Outlook client questions.

 

@Gary Howard glad that we were able to troubleshoot your issue. Hope the feature is going well.

 

@Ed Morrison yes Encryption as an action in Unfied DLP in SCC is on the roadmap. In fact it is currently being tested.

 

@Ian Walton, unfortunately I think the option is only available in ProPlus. However, the option should still be available in OWA or you can set up an Exchange transport rule.

 

@Forrest Hoffman I will have to get back to you, but in the meantime, can you check if you can see the Permissions button in the Options tab?

 

Contributor

@Salah AhmedI have had the button available for quite some time.  Strange thing, every time I go to use it, it has a slight delay while it connects to get the Templates from the server.  What happens if I want to prepare a protected message while offline? Shouldn't it be able to store templates locally from last sync?

To this day it (Outlook desktop 16.0.9126.2109 64 bit) only has the 3 standard Do Not Forward, Company - Confidential, Company - View Only. Whereas the Encrypt Only shows in OWA.  Granted I am not on Insider track but I am on the Target Monthly Releases.  Just wondering how long until we see the Encrypt Only in desktop clients.

Occasional Contributor

My clients complained that every time he wants to open the encrypted email it took 1 minute to get the mail loaded.

He is using hotmail.com.

 

He rather ask for passcode then to login.

 

I hope this will be improve.

Contributor

Hi,

 

We have a user with Office 365 Business Premium + Azure Information Protection Plan 1 and if I start a new email thread using the new ‘Encrypt’ feature in Outlook on the web and the recipient replies the message is automatically decrypted without issue as expected.

 

If that user looks at the email in their Outlook for Mac client (16.12 (180410)) there is a yellow warning that states ‘Your credentials must be verified before you can access this message’ but hitting ‘Verify Credentials’ doesn't seem to have any effect. No credentials prompt appears. 

 

I see similar behaviour with Do Not Forward. If I remove the Outlook profile and set it up again, I can decrypt that Do Not Forward email but there any subsequent emails have the issue again.

 

Any ideas? Has anyone else observed this behaviour? Any workaround? 

 

Thanks

Contributor

@EDIT Support, yes this is something I've noticed as well. It is a known lack of functionality for the Outlook application.

 

I believe this functionality is currently available to windows insiders, and it's intended to be in the next Outlook update.

Contributor

@Jordan Moore I might expect the new Encrypt/Encrypt-Only policy to not be fully working with OMEv2 but the issues seems to affect the Do Not Forward policy too. Are you seeing the 'Verify Credentials' warning in Outlook for Mac clients specifically? I'm going to test it out for Outlook for Windows now and report back. 

Contributor

@EDIT Support, I've only ran into issues with Do Not Forward when applying it to emails sent externally, as this is internal only unless you specify an external domains in the AIP protection area. I don't have any Mac's in my environment to test. I'd be interested if you get that message on Windows as well.

Microsoft

I am on vacation so will be MIA for the next 10 days or so. But here are some answers:

 

- Encrypt in Outlook Windows will be available in the next update on the monthly channel. I am not sure exactly on what date that update will be released 

 

- Encrypt in Outlook Mac is being developed but I don’t have an ETA 

 

- Do Not Forward in Outlook Mac should be working fine. If it isn’t, please file a bug with support

 

- Hotmail users now get an inline experience for encrypted mail in OWA, Outlook Mobile, and Mail app in Windows. So experience for hotmail users should be as good as for Office 365 users now

 

Contributor

@Salah Ahmed I appreciate your reply while you are away on holiday. Perhaps @Caroline Shin can step in and answer any further questions in the meantime. 

 

I think the issue stems from the fact that I trying to decrypt an email in Outlook for Mac that was sent from Outlook on the web with the 'Encrypt' policy or forced as a mail rule in EAC.  Due to the fact that Outlook for Mac client doesn't yet support the Encrypt policy, I'm receiving this Verify Credentials warning message/behaviour.  @Jordan Moore would you agree with this?

 

@Salah Ahmed you mentioned filing a bug with support - would we go through our CSP reseller for this?

 

Thanks again

 

 

 

Contributor

@EDIT Support, Yes, I believe that is the issue you're running into. If you have the Mac user use OWA, they should be able to view the encrypted email, no problem.

Contributor

@Jordan Moore that would be one workaround, or have them use Do Not Forward for each email they want to send out and accept the added restrictions if sometimes they are not required until the 'Encrypt' policy is released for the Outlook for Mac client. 

 

Out of interest, see the table here https://azure.microsoft.com/en-gb/pricing/details/information-protection/ isn't it labelled wrong in that AZURE INFORMATION PROTECTION PREMIUM P1 should actually be AZURE INFORMATION PROTECTION PLAN 1 rather than PREMIUM PLAN 1? My CSP and even MS themselves list it as this in the O365 tenants. 

 

Also, what is AZURE INFORMATION PROTECTION FOR OFFICE 365 service listed there? I don't see this anywhere. 

Senior Member

@Salah Ahmed What version of Outlook supports the Encrypt only button? I am enabled for First Release but don't seem to be getting the Encrypt option.

 

Current: 1708 (Build 8431.2242 Click-to-Run) I have an E3 license.

 

Also, see example 4: https://docs.microsoft.com/en-us/azure/information-protection/deploy-use/configure-policy-protection...

 

I can only get this to 'replicate' Encrypt Only if I add either external domain or email address. Encrypt Only (using OWA) seems to work to ANY domain. Is there a way to add *@anydomain.com ?

Contributor
The other issue I've noticed is that both the Outlook desktop clients and Outlook on the web populate the auto-complete cache with the recipients name but point the email address to office365@messaging.microsoft.com once the recipient has replied to an encrypted email thread once which could lead to emails not reaching the itended recipient. Anyone else noticed this?
Contributor

@Christopher King the release notes here state that Outlook now supports the Encrypt-only option https://technet.microsoft.com/en-us/office/mt465751.aspx Version 1804 (Build 9226.2114)

 

Thanks

Regular Visitor

Is Outlook 2016 (volume licensing) not going to get the ability to read encrypted emails? It's my understanding that new features don't get added to the volume licensing version but we are forced to use OMEv2 as OMEv1 is not supported according to this link that states "If you'd like to set up OME now, you must set it up to use the new OME capabilities. For information, see Set up new Office 365 Message Encryption capabilities built on top of Azure Information Protection. Microsoft no longer supports setting up new deployments of OME without the new capabilities."

 

Is there a way to create a transport rule to remove OMEv2 from emails coming externally into our organization if outlook cannot natively remove the encryption?

 

Contributor

@Christopher King I can confirm that the Encrypt only option is also available in Outlook desktop client 1804 (Build 9226.2100) 64 bit .  I've just updated as of April-24 so it is a rather new situation.

Regular Contributor

@Salah Ahmed- I have the latest Outlook build and see the Encrypt option in the list of Permissions, but am surprised not to see a button on the ribbon like DNF.  Is that by design?

 

Regular Visitor

I see the Encrypt only option in my outlook client after running an update, which is great but wondering if there will be an AIP Encrypt Only label option available as well?

New Contributor

Hi @Caroline Shin@Salah Ahmed!

 

I tried the new release of Outlook with the "Encrypt Only". It works like a charm! Great job. It also works to remove the Protection by creating a transport rule and use the "remove Protection" based on a trigger in the subject field ie "remove Encryption". This way a user can forward a encrypted mail to him selfes and remove Encryption both from email and office attachments.

 

I have three more wishes that are very important for us:

1. The Encrypt Only must be able to be used for AIP labels in Outlook/OWA (just like DNF) so we can have a information Security class that only encrypts to targeted users.

2. Change the label of the encrypt only and remove "users cannot remove Protection" this is unneccesary and not true if you allow them to do this by forwarding/transport rule. Best would if you make it possible to change labels of DNF and Encrypt Only to something Customer specific.

3. Implement a GUI-button in Outlook to remove protection

 

Thanks for improving the RMS/OME so we can start using it for real!!

 

//Magnus - magnus.ericsson@affecto.com

 

 

 

Occasional Contributor

Hi Guys,

 

Any of your recipient complained that it took a very long time to decrypt the mail?

 

I do not believe it and I tested with my own yahoo mail account.

It took around 1minute everytime I use my yahoo mail to sign in to view my encrypted mail.

I think most of the recipient just got fed up and just use the OTP

 

Regards

Andrew

P/S. : Is the encryption, encrypt the attachment as well? Means that the attachment cannot be downloaded by the recipient and send to 3rd party?

Frequent Visitor

Suggestion: 
ENCRYPT ONLY
should be under the MESSAGE tab PROTECTION ribbon and NOT under OPTIONS tab PERMISSIONS pulldown ribbonCapture2.JPG

Occasional Contributor

@Brandon Humrick, brilliant.

New Contributor

YES!

Occasional Contributor

I'm using encrypt-only and sending email between two different Office 365 tenants.  Both tenants are setup to use the new encryption methods including encrypt-only.  I'm testing messages back and forth to see how the new auto-decrypt features for 365 recipients works.  

 

When trying to read the encrypted message in the other tenant, there is a message at the top of the screen that says "This message with restricted permission cannot be viewed in the reading pane until you verify your credentials. Open the item to read its contents and verify your credentials."

 

So then I try to double-click and open the message but it does not open. Instead it shows a message that says "This logged in users could not be authenticated. Please check your credentials or try signing out and signing back in.".  I have to click OK and the same message pops up a second time.  Then a third message says "Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Cannot read the item."   I did notice that a split second before that first error pops up, I see another window in the background that says something like that "Configuring rights management on your computer..."

 

That happens when I send a brand new encrypted message.  However if I start the encrypted message from the other tenant and then reply to it, i can read the replies just fine. 

 

It works fine in OWA.  It's the local Outlook 2016 that is having the issue.

 

I'm not finding any results when searching for this message. "This logged in users could not be authenticated. Please check your credentials or try signing out and signing back in."    

 

Let me know if anyone has any suggestions. Thanks!

 

Jason

 

 

Deleted
Not applicable

@Jason Hartman - Yes, I am also facing the same issue after upgrading to the latest version of Office 2016 (1804)

 

In my case, it will always throws a pop-up stating "Configuring your computer for Rights Management services" while sending or replying to an email which is sent using 'Encrypt' option. Also, whenever I try to access any Rights Protected email (including default DNF protection applied) or Encrypted email (which sent using Encrypt option) Outlook goes to 'Not Responding' state with blank screen and we cannot take any action. Outlook stays in this state for at-least 2-3 minutes and after that it displays the message (actual content of the email).

 

But all the scenarios will perfectly works in OWA, the problem comes only with Office 2016 (Outlook).

 

@Salah Ahmed - Do you suggest us some best practices here for using new feature in native Outlook application? I knew that this with Outlook client but we encountered the issues after upgrading the Outlook version to 1804. Please fix these issues ASAP.

Occasional Contributor

@Deleted  Yes, i'm also using Office/Outlook 2016 version 1804.  The latest ProPlus version deployed via Office 365. The end users are all using Windows 2016 Remote Desktop Servers.

Contributor

@Brandon Humrick  I think that particular Protection tab is only available as part of you having the AIP client installed also.  I do not even have that option in the standard Outlook desktop client. So to make it more compatible - comparable to the other users that only have OWA access or Outlook client that had to put in the options tab.

 

What I find strange is that the File, Properties navigation while editing a message is still not clear, it is still focused around SMIME.  But at least there is a "Set Permissions" button in the same path that matches the normal message editing window.

Frequent Visitor

@Forrest Hoffman True about the protection tab; however, DO NOT FORWARD is in both ribbons.... so should ENCRYPT.  

2Capture.JPG

 

Microsoft

@Magnus Ericsson@Brandon Humrick @Forrest Hoffman @Adrian Hyde thanks for sharing your comments and suggestions - and the graphics :). Conscious that this is an area we can continue to improve - please do provide this feedback on user voice. We actively read/vet them and it helps us prioritize the work we need to do! 

Microsoft

All, thanks for the feedback! 

 

1- Encrypt is now available in Outlook Windows desktop April release monthly release Version 1804 (Build 9226.2114). See here for more details: https://technet.microsoft.com/en-us/office/mt465751.aspx?f=255&MSPPError=-2147217396.

 

2- Encrypt is currently not available in Outlook Mac. It is currently being built. However for any issues with Do Not Forward in Outlook Mac, please contact Support.

 

3- @Zach, OMEv1 is still supported for tenants that had previously set it up.
There is currently no way for customers to remove encryption for OMEv2 for inbound mail. We do not plan to support this feature.

 

4- @Gloria, we are aware of the ask to have the AIP Encrypt only label. The AIP team is chasing this.

 

5- @Jason, we have recently heard this issue for B2B mail and are working to fix it. I don't have an eta yet.

 

Regular Visitor

@Caroline Shin When will the inline reading experience of encrypted email from Outlook desktop be rolled out? Can we expect it this spring/summer ?

Microsoft

@Godwin Daniel this is being rolled out as part of the April update. Here are the details: https://technet.microsoft.com/en-us/office/mt465751.aspx?f=255&MSPPError=-2147217396

New Contributor

@Caroline Shinany plans om making the new OneDrive sharing experience in Outlook/OWA to work with RMS-encrypted mails.

 

When using a transport rule to set Encrypt Only a Shared OneDrive document link will be replaced with a image that could not be used or just some empty ............ .

 

If Sharing OneDrive documents thru OneDrive via clicking on the Outlook sympol in the sharing dialog it works fine. This features shares a normal link to the document.

 

Any thoughts why this is so different? 

Senior Member

When a message is encrypted using the Encrypt Only option, the recipient cannot open an Excel attachment in the encrypted message and receives the following message:

 

You do not have credentials that allow you to open this workbook.  You can request updated permission from...

 

Why might this be happening?

Occasional Contributor

@Caroline Shin @Salah Ahmed

 

Question via OMEv2 and Shared mailboxes.. 

 

Currently if you have a shared mailbox connected in OWA (in the left hand folder view panel, added via "Add Shared Folder") and open an OMEv2 Encrypted message (sent to that shared mailbox, not your personal account) it will display inline. - screenshot below.

 

OWA-AIP.png

 

However, doing the same thing in Outlook (I'm aware Outlook doesn't currently support inline reading) but even pressing "Read Message" will generate an error as it looks to be a URL to the unique message ID. - Screenshot below.

 

Outlook AIP.png

 

Do you have access to an inside build to confirm what the behavior will be when inline reading is supported? will it work for Shared Mailboxes? or will the "Read Message" button be able to handle messages sent to Shared Mailboxes? - has this been considered.

 

Thanks in advance.

 

Ben.

Visitor

Is there a way to get the Encrypt Only option to show up in Microsoft Office Professional Plus 2016 16.0.4639.1000?

We have been able to use Encrypt Only using a mail flow rule, but I would like to have the option in Outlook under Permissions as well.

Senior Member

Transport rules have been configured using the Encrypt Only RMS template.  If a message is sent with an Office attachment i.e. Word, Excel to a recipient who is running Outlook 2013 on Windows 7 with Exchange 2007 on-prem, what is the expected behavior?  Should they be able to read the attachment?  I ask because my customer has experienced issues where encrypted messages sent to recipient who are running Outlook 2013 cannot open attachments.

Occasional Visitor

I have set this up and it works great.  I do have one question though.  When using the Encrypt RMS Template, is there a way to change the expire time-frame?  By default it's set to 60 days.  Also, what happens to that email after it expires...does it just get removed from the system?

Regular Visitor

@Caroline Shin not sure if this has been asked already, I am running Office Professional Plus 2016, do i need to be running Office 365 Proplus to get update that supports in line reading experience of encrypted emails ?

Occasional Visitor

Hi, I have Outlook V1805 Build 9330.2087 and while the Encrypt button is now there (good job!), whenever I receive an encrypted message, I also receive a popup saying "The logged in users could not be authenticated.  Please check your credentials or try signing out and signing back in".  I click ok, restart Outlook (multiple time) but it never works.  This is for other O365 tenancies to ours.  If we send internal, it works ok.

 

I know someone from MS on here said it would be fixed soon but that was 3 weeks ago and there's still no update?  This means we (and all our users) can't open encrypted emails at all - a big pain for everyone.  Do we have an ETA for a fix yet?

 

Additionally, we have some users running Outlook on RDS. As they're not running Office 365 ProPlus, will they ever get an update to allow them to send press the Encrypt button?  How will it be rolled out?

 

Lastly, do we have an ETA yet on when Outlook for Windows will be able to decrypt on the fly so you can read the decrypted emails inline?

Occasional Visitor

When will the Encrypt Only option be available for the Volume License installs of Outlook 2016?    Right now the Do Not Forward option is the only one available other than the two organization specific options.   

New Contributor

Hi @Caroline Shin!

 

When using Encrypt Only to Encrypt a email with Office attachments they are also encrypts. If a recipient open the email in OWA and click on the attachments they open up in Office Online. So far so good. But when they want to print the document it is not possible. How is this possible?

 

They can print the email in OWA, they can print the email in Outlook and of cause they can print the document i full Office Clients?

 

Can you please make sure that recipients also can print in Office Online?

 

Many thanks! //Magnus

 

Occasional Visitor
I did some testing and see 'this link will expire on <60 days later>'. I can't find any good documentation on this. Is someone able to explain this: - what will happen after those 60 days? - is there a way to change this or disable it? - What will happen to the e-mail of the sender. Will the sender be able to read the message he send after those 60 days? Looking forward to see the encrypt only in Outlook 2016 VL. When will it arrive?
Occasional Contributor

@Caroline Shin the link to view the encrypted emails by default expire in 2 months, when will I be able to change this default length of time ?

Also custom branding doesn't seem to show the company logo when sending to other O365 tenant i.e if they are using older Outlook Desktop client versions.

Senior Member

We use Business Premium licenses with Azure Info Protection plan 1 on top. We have been using OMEv1 since the end of last year and were pleased to recently find out about OMEv2.

 

At the moment it still isn't possible to open OMEv2 encrypted messages in desktop Outlook, but that it is currently in testing through Office Insiders? When will this roll out to the production version of Outlook for Windows? It's annoying that you can't even view the default authenticate/one-time passcode option which effectively renders the entire system useless for sending to external recipients.

 

Thanks!

New Contributor

Hi,

 

Szenario: User "A" sends encrypted mail to user "B" User "C" is delegate for user "B"

 

When User "C" only has Mailbox Folder Permissions for user "B", everything works as expected: "C" is not able open the mail in Outlook and also not in OWA.

When User "C" has Full Access on the mailbox of user "B", the behaviour is as expected when "C" uses Outlook. When "C" uses OWA, the encryption does not work. The Mail is fully accessible.

 

We need the functionality with Mailbox Permission "Full Access" in Outlook AND OWA, as it is not feasible to use delegation via mailbox folder permission in our environment.