Last September, we announced new capabilities in Office 365 Message Encryption that enable users to seamlessly collaborate on protected emails with anyone. This release included Do Not Forward an out-of-the-box policy that encrypts emails and Office attachments, and restricts the content and email from being forwarded, printed or copied.


Today, we are happy to share that we are releasing another out-of-the-box policy called encrypt only. With the encrypt-only policy, users can send encrypted email to any recipient, whether they are inside or outside the organization, and the protection follows the lifecycle of the email. That means recipients can copy, print and forward the email, and encryption will not be removed. This new policy provides more flexibility in the type of protection that can be applied to your sensitive emails.


This is valuable for organizations that want persistent encryption, but do not want to add additional restrictions. For example, a doctor looking to protect an email containing sensitive personal information, can apply the encrypt-only policy, and the patient receiving the email can easily consume the protected message regardless of their email provider, and forward that email to another trusted party.  


With this new, flexible policy, users and admins can apply different levels of protection to best fit their data protection needs. 


Read more to understand what the encrypt-only policy looks like and how to apply the policy.  


How the encrypt-only policy works

The encrypt-only policy is an out-of-the box policy that can be used without additional configuration, and as the name suggests, only applies encryption to the email. You can apply the policy through end-user controls in Outlook or through automatic admin managed controls in the Exchange admin center. Users can apply this policy to individual emails through end-user controls in Outlook, and Admins can apply this policy automatically to any email that matches the set criteria through admin-managed controls in the Exchange admin center.


Customers that have enabled the new Office 365 Message Encryption capabilities will see the encrypt-only policy first through Outlook on the web and in the Exchange admin center under mail flow rules. Updates to Outlook for Windows and Outlook for Mac are planned for the coming months.


How to send an email with the encrypt-only policy in Outlook on the web

Users can apply protection with the encrypt-only policy by clicking on the protect button and changing the permissions to just encrypt. While the other options encrypt the message, the encrypt option will apply the encrypt-only policy to the message, therefore enabling recipients to forward, copy and print the message.


Applying this option will offer added flexibility for recipients to share the email with other trusted parties while encryption continues to persist and throughout the lifecycle of the email.

  outlook on the web with permissions drop down.pngIn Outlook on the web, users can click on the protect button to change the permissions of the email. Once a user clicks on protect, the users can click on encrypt, to only encrypt the email.  Outlook on the web client view with encrypt only policy applied.pngOnce the encrypt-only policy is applied, the user will see a notification that encryption has been applied.

How to apply the encrypt-only policy through Exchange mail flow rules

As an administrator, you can apply the encrypt-only policy automatically to emails that meet certain conditions by creating a mail flow rule. When you do this, email affected by the encrypt-only policy is encrypted in transport by Office 365.


For instructions on creating a mail flow rule that employs the encrypt-only policy, see define mail flow rules to encrypt email messages in Office 365

 mail flow rule with encrypt only policy.pngYou as an administrator can create new mail flow rule to automatically apply the encrypt-only policy to emails.


How to read encrypt-only email using Outlook on the web and Outlook mobile

Office 365 recipients can easily read and reply to emails that have been applied with the encrypt-only policy using Outlook on the web and Outlook mobile directly from the client.


Outlook mobile with encrypt only policy applied.jpgUsers can read the encrypted message natively directly in Outlook on the web and Outlook mobile.


The inline reading experience for Outlook desktop (Windows and Mac) will be available in the coming months. In the meantime, Office 365 users using Outlook desktop will see the encrypted mail as an html mail with an rpmsg_v2 attachment.


How to read encrypt-only emails for non-Office 365 users (on-prem, Gmail, and Outlook.com users)

Non-Office 365 users, receive an html mail with an rpmsg_v4 attachment. Once they click Read Message they are redirected to the Office 365 Message Encryption portal where they can reply, forward, print, or take other allowed actions. More information can be found in this article.


Get started!

The new encrypt-only policy rolls out starting today as part of Office 365 Message Encryption.


Office 365 Message Encryption is offered in Office 365 E3 and E5, or as an add-on -you can find the full list of where Office 365 Message Encryption is offered here.


Please let us know what you think here or give us your feedback on uservoice



New Contributor

Some recipients are missing the option to download the attachment - preview only on an encrypted email.  Why would download be missing?


I have Apply Office 365 Message Encryption and rights protection on my mail flow rule and I'm using the Encrypt template.

I also have "DecryptAttachmentFromPortal" and "DecryptAttachmentForEncryptOnly" both set to TRUE

Occasional Contributor

Any updates on when the "Encrypt" option will be available for Outlook for Mac?

Occasional Contributor

@Jessie Hernandez Roadmap #32646 says next month (November 2018). This was recently modified to pull it back from Q1 2019.

Senior Member

As many others have stated these DECRYPT functions do not work as intended, for anyone receiving the message who is on O365 for email.


Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true


No matter what this is set to if the receiving party is an Exchange Online tenant they cannot open attachments. Tested with over 15 different domains, all of these users are setup for email in O365. This needs to be a top priority for OMEv2, and is a glaring issue for anyone attempting to make this switch.


If its someone who is @gmail.com or @yahoo.com or @hotmail.com they can receive the message and attachment fine.

DO NOT GO TO OMEv2 until this is resolved. There has been no communication from Microsoft regarding this being a known issue, and should be in their Service Alerts in the Admin Center.

Occasional Contributor

@Joshua Tepper

I totally agree.  I have had Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true enabled for at least 2 month and it still does not work with other O365 tenants.  Last week I went through support again, gave them all of the documentation, screenshots, etc and the moved it up to the next tier support.  This does need a priority.


@Joshua Tepper and @Jacob R thank you for flagging this.  We are actively looking into this. 


@Joshua Tepper and @Jacob R I am unable to repro this issue. I sent an Encrypt-only mail with an attachment to another Office 365 tenant and Gmail user, and since the DecryptAttachmentForEncryptOnly flag was True, the attachments were indeed received as decrypted. 

Can you please share your tenants via private message and also send encrypted emails to my test account admin@fabrikamfrance.onmicrosoft.com?

New Contributor

Salah, I think you are missing their point. It's not their tenant that is the issue. Users may need to send encrypted information to any one in the world and regardless of how that external agency has their tenant setup, the recipient should be able to get, open, and read the message and any attachment.


Occasional Contributor

@Salah Ahmed  Just sent a test.  Remember, the problem is with Outlook on the desktop not being able to ready encrypted attachments.  OWA works fine.



Established Member

There are a couple of different issues being mentioned in this discussion, but I (and at least a couple of others) posted previously that there is a problem not just with Outlook desktop, and not just with attachments, when sending encrypted messages to external Office 365 tenants. 


I have had an issue with recipients at two different agencies who both use Office 365.  When I send them an encrypted only message, they are unable to open it at all - even if there is no attachment.


They have tried this with both Outlook 2013 and 2016 desktop clients,


They have also tried this with Outlook web and were unable to open the emails.


The message they receive when attempting to access the message is:


"The message you tried to open is protected with Information Rights Management and can only be opened using Outlook. Download a free trial of Microsoft Outlook."


Sending to anyone else who is not an Office 365 tenant works fine.


I haven't tested this in the last couple of weeks, but haven't seen any communication that this is fixed.

Frequent Visitor

We’ve been seeing the same issue, even without attachments, external recipients are unable to open the message. This is really causing us headaches, being in the healthcare industry. 


When external recipients aren't able to open encrypted messages in OWA, it's usually because the recipient tenant has turned off the feature. 


To enable the recipient to read encrypted messages in OWA, they need to run in PowerShell: Set-IRMConfiguration -ClientAccessServerEnabled $true


We are doing work to clean up the configuration of all tenants so that they are all able to read encrypted emails in OWA, and then take away their ability to turn off encryption. This work will take a few months to be fully deployed.

Occasional Contributor

Well I just did a test with Salah and OMEv2 and he was able to open the attachment.  I have two seperate tenant account and it does not work for me. 

So it must have something to do with Outlook settings. I have the latest update for Outlook ProPlus and unfortunately I cannot do it myself and neither can some of our partners.  So I still cannot trust a hit or miss so I am sticking with OMEv1 for now.


Thanks @Salah Ahmed

Senior Member

@Salah Ahmed @Caroline Shin

I cannot send those emails domains publicly, if you could email me I would be more than happy to provide those details.

I can say these are multiple tenants, some being government and some commercial.


Nowhere is it mentioned that the receiving party has to enable Set-IRMConfiguration -ClientAccessServerEnabled $true to receive emails from O365 tenant to tenant using OMEv2. 

Why isn't that mentioned in any of the configuration articles? Shouldn't that be listed as needed per configuration?

I should not have to enforce configuration changes on another tenant just to be able to email encrypted messages. Especially if both organizations are using the same service, Exchange Online.


Senior Member

@Salah Ahmed 


I have just sent you private message with tenant details as well as PowerShell settings etc. 


Any thoughts would be helpful.




Occasional Visitor



I'm running into an issue where I can't open any encrypted sent to me from Outlook. My Outlook version is 1809.

OWA works fine.




Hoping you can help.


Senior Member

Hi everyone. 

I just received a call from Microsoft O365 support saying that they are aware of the problem and trying to find a solution/patch on higher level support. No timeline was given but they wanted to close my ticket. The workaround is to use webmail when reading encrypted mail, until their fix/patch is ready.


I just wanted to inform you, so you can stop banging your heads to wall trying to solve this :-)


Bye for now



Senior Member

Thanks Tommy


I sent a Private Message to Salah earlier this week and he told me the same. 


If someone from MS had of just posted the same earlier in the thread it may have saved us all some time!!

Occasional Visitor

@Tommy Forsman Thank you for the update.

Senior Member

I still don't get why this isn't posted in the Exchange Online Admin center. This needs to be a communicated outage... anyone from Microsoft reading this?

Everything else gets posted for outage when it's been down for hours to a days...but this hasn't been working for months and no one thought to inform its user base?

Frequent Visitor

Good point Joshua. Although since as far I can see OMEv2 has never worked properly maybe it's not so much an outage as an unfinished product. We've been waiting on Outlook being fixed for opening encrypted emails since the start of the year.


Hi folks, appreciate your patience as we address this issue - and also for taking the time to share the issues you maybe seeing. We are actively working on a fix and we plan to respond to this more formally. To ensure this message gets shared to the impacted customers, we will be sending notification through message center. You should see a communication from us by the end of this week or early next week.  


Frequent Visitor

Which issue is being addressed? I think we have experienced every issue mentioned in this thread.  The most frustrating thing is I cannot find any documentation for any of these issues from Microsoft.  


Right now, another O365 tenant is receiving the "unexpected response from the Rights Management server" error when trying to open our emails.  They are on the latest monthly build (1809 10827.20181).

Senior Member

We are getting this error now when clients try to view the encrypted emails we send them.  I am also having the same issue when trying to open an email with my Office 365 account.  If I use an OTP it opens without any problems.problem.PNGCapture.GIF

 To Mark Galvin ‎& Brian Phillips who reported issues on 08-16-2018 01:43 AM,  ‎10-05-2018 12:12 PM respectively - what was the recipient machine topology? Was the recipient signed into Windows using the same creds as used to sign in to Office? Were the recipient machines joined to a domain/AAD-joined?




Hi @Caroline Shin, any update, on the notification through message center?

Occasional Contributor

Hopefully the update in 16.19 fixes things.


Updated feature: Encryption updates in Outlook for Mac and Outlook for Windows
Stay Informed
Published On : November 16, 2018
We are updating the way to encrypt emails in Outlook for Mac and bringing a consistent approach in the ribbon for both Secure/Multipurpose Internet Mail Extension (S/MIME) and information rights management (IRM). This functionality is now under a new command for Office 365 organizations in both Outlook for Mac and Outlook for Windows. This feature has begun rolling out to all Office 365 organizations. This message is associated with Microsoft 365 Roadmap ID: 32646.
How does this affect me?
The existing Security button in the Outlook for Mac ribbon will become an Encrypt button in version 16.19.18110915+. Similarly, the current Permission button in Outlook for Windows will soon become an Encrypt button. The new Encrypt button will look like a padlock on the ribbon and this lock icon image will appear on all encrypted emails, visible within the Outlook message list. Additionally, Outlook for Mac users will have an additional Encrypt-Only method to secure emails with Office 365 Message Encryption . This means that in addition to supporting S/MIME, which is also currently supported in Outlook on the Web and Outlook for Windows, the Outlook for Mac Encrypt command may include options such as Office 365 Message Encryption Encrypt-Only or Do Not Forward, S/MIME encryption (if configured) and other admin-defined Rights Management Service (RMS) protection templates. Further, the S/MIME sign option in Outlook for Mac will now be consistent with Outlook for Windows under a stand-alone Sign button for digital signing.
What do I need to do to prepare for this change?
There is nothing you need to do to prepare for this change. See Additional information to learn more.
Regular Visitor

@Caroline ShinAny updates? Have not seen any public information on the issues with Messages Encryption



 Hi @Caroline Shin, perhaps i missed it, but haven't seen an update, on the notification through message center yet.

Senior Member

@Caroline Shin 

I have been checking for the notification everyday, I still haven't seen one. Is it possible to get a time frame on when this will be documented as an issue for users? This has been happening for a while, and I'm still confused why it isn't being clearly communicated with the user base?


@Martijn Steffens @Christian Knarvik @Joshua Tepper  thanks for reaching out and your patience. I just wanted to send you a note that I am aware of your messages - and plan on sending response tomorrow around noon PST. 

Senior Member

Hi folks


Besides any messages in the Message Center on this issue (MC165252):




I have noticed an improvement following release 1811 (Build 11029.20045 Click-to-Run).


Here I go:

Tenant 1

Outlook wanted an update yesterday. Ran it and now running:


So, sent a test email to Tenant 2:


And I was able to open it without fail:




On Outlook on Tenant 2, currently on:


I checked if there was an update and (sad face):


Must have to wait for the update to replicate through all tenants. Once Updated I will test sending from Tenant 2 to Tenant 1 and hopefully working!



@Martijn Steffens @Christian Knarvik @Joshua Tepper apologies for the delay! We published documentation about a set of known issues that have been fixed which is available here. Please note that if you have the latest build installed and are experiencing an error or other symptoms not listed in the documentation, you may still be seeing issues. This seems to be outside the norm and difficult to replicate, therefore we are investigating with customers who have raised this issue with support. Early assessment indicates that there is an Office client bug – once we have a fix, we will communicate through the proper channels and update the documentation with more details. 

Frequent Visitor

 @Caroline Shin Well, this is a let-down.  The issues we have experienced are not even acknowledged in that article.  Furthermore, the fix is to upgrade to build 1808+ and we are having issues with 1809/1810.  


Once we have a fix, we will communicate through the proper channels and update the documentation with more details.

Why not communicate that there is a problem now?  You could prevent your customers from wasting time searching for a solution if you would at least recognize this as an issue. 


Also, what are the "proper channels"?  Is a link to an article in the comments section of a blog post a proper channel?  Why is this not communicated through the message center? Does this not qualify as a service degradation?  Shouldn't it be listed under service health?

Frequent Visitor

I would also like to know whether there has been any progress resolving issues for those opening encrypted messages in webmail. We send email to certain agencies who use Office 365 in the browser instead of Outlook and they've been unable to open messages.

Occasional Contributor

FINALLY!!!  Its working from send an encrypted email with an office document attachment from tenant to tenant using Outlook desktop.  Initially the email said it is encrypted and to double-click to verify credentials so I did and the email and attachment were there.  This is the first time it has happened correctly.  Usually I cannot get passed the double-click to verify part.  Maybe now I can start using OMEv2 with our partners.

Frequent Contributor
Maybe it's been stated already but pro-tip if you're having problems opening encrypted emails: go to File > Office Accounts and click 'sign out' in the top left. Keep clicking it until all your accounts are signed out. That sucker was hiding 6 different accounts on one of my user's PCs and logging them out of all of them and back into the correct one fixed the issue immediately.
Occasional Contributor

Is sending a protected attachment using an RMS permission template still prohibited for yahoo, gmail and other personal email addresses? 

Senior Member



I can confirm that once both tenants are running Version 1811 (Build 11029.20079 Click-to-Run) AND signing out of all Office connected accounts, sign back in, OMEV2 works in both directions!


Now, when testing with non Office 365 accounts (say iCloud) the response from the website is painfully slow.


What is being done to address that?





Senior Member

Morning all


Having managed to test and confirm that OMEv2 is working on my two test tenants (see last post), I now need to roll out to Citrix Desktop users at tenant 1.


Over weekend I updated Citrix XenApp servers to same version nd build of Office that I have on the Desktop I have been using there. 


When a Citrix Outlook user ropens the Permissions menu they see:


Clicking on that gives them:




So, from my desktop I have sent them an Encrypt-Only email =:


but when they open it they get:


Anyone else managed to get this working? I am using a test user in Citrix (newly created this morning so everything is complete fresh). I have tried signing the test user out of Office and back in again but same result. 


Really wish Microsoft had all of this resolved before GDPR came in, in May!


Hoping someone can help :-)




Occasional Visitor

Still can't enable the do not encrypt attachements for encrypt only.  I can see it with get-irmconfiguration, but not set it:


PS C:\> Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
A parameter cannot be found that matches parameter name 'DecryptAttachmentForEncryptOnly'.
    + CategoryInfo          : InvalidArgument: (:) [Set-IRMConfiguration], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-IRMConfiguration
    + PSComputerName        : outlook.office365.com

PS C:\> get-IRMConfiguration | fl decr*
DecryptAttachmentForEncryptOnly : False
DecryptAttachmentFromPortal     : True


when i used Encrypt only option in outlook and send to other users they are not able to open the message


Same case when i used AIP label and applied Transport rule to Encrypt the message  they cannot open message in outlook but they can view in outlook web access, we want to have option to view in outlook web access and should decrypt during journaling and download for investigation