Microsoft 365 supports protection of emails using encryption and rights management thanks to its integration with Microsoft Purview Information Protection and Office 365 Message Encryption, as well as via legacy capabilities such as Exchange Information Rights Management. These technologies allow an email to be protected so only specified users can view them and restrict the actions they can perform on the email. In most cases, this doesn’t require additional considerations, but in some delegation and shared mailbox scenarios the existing implementation presented inconsistent behavior between client in different platforms regarding the ability of users with delegated access to a mailbox to open emails to which rights the nominal account of that mailbox has rights. This behavior is being updated to provide configurable and consistent behavior across platforms.
Delegate access:when delegates are granted FullAcccess to the owner's mailbox, their access to encrypted mail varies depending on the Outlook client they are using:
Delegated access of encrypted mail is supported using Outlook on the web (OWA), Outlook for Mac, Outlook for iOS, Outlook for Android and Mail app on Windows
Outlook for Windows client does not support delegate access of encrypted messages and delegates are blocked from reading encrypted messages if they are not on the recipient list (To, Cc or Bcc).
Based on this behavior, users can simply access the encrypted message via OWA or one of the other clients delegates are not blocked.
Shared mailbox access:for shared mailboxes, the challenge is slightly different. By design, users can open encrypted messages for a shared mailbox when they meet the following conditions:
For Outlook for Windows, when the user is assigned "FullAccess" rights to the shared mailbox, and the AutoMapping parameter of Add-MailboxPermission is set to $true.
For other Outlook clients, when the user is assigned “FullAccess” rights to the shared mailbox.
This means that once a user or group is granted "FullAccess" to a shared mailbox, they have access to all shared mailbox content from Outlook (OWA, iOS, Android, Mac, and Mail app on Windows). This is often unacceptable in scenarios where a shared mailbox contains encrypted content that is appropriate only for a subset of the users who have been granted "FullAccess."
Based on customer feedback, we are introducing new Get/Set/Remove-MailboxIRMAccess cmdlets that provide admins with more granular access control of encrypted content, including in scenarios where delegates or shared mailbox members have FullAccess to the shared mailbox.
Check who is blocked from accessing mailbox owner’s encrypted messages:
After any of the above mailbox settings are changed, the Outlook client must be restarted.
-Identity: The target mailbox. You can use any value that uniquely identifies the mailbox.
-AccessLevel: Specifies what delegates can do with IRM-protected messages in the specified mailbox. Currently we only support “Block.”
-User: Specifies the delegate or shared mailbox member who is blocked from reading IRM-protected messages in the mailbox or shared mailbox. The user’s login ID must be used.
Let’s cover some scenarios!
Scenario 1 – Delegate top secret conversation (total block)
Ashima is a VP of Finance at Contoso. Katie is Ashima’s Administrative Assistant, who has full access to Ashima’s inbox. Ashima has been involved in discussions to purchase another company with the CEO. This could have a high impact on the stock price if this information is leaked. Later, Ashima receives an email from the CEO that is only for the senior leadership team and protected by a Top-Secret label. Although Katie has access to Ashima’s mailbox, she should not be able to see this email, as it’s meant only for members of the senior leadership team.
With the new behavior, the admin can use the following cmdlet to block Katie's access to encrypted messages in Ashima's mailbox while still allowing Katie full access to non-encrypted messages:
Scenario 2: Shared mailbox select access to encrypted messages (only a subset of users can access encrypted content)
Contoso has a shared mailbox (CustomerData@contoso.com) that is used to receive encrypted emails containing customer data from the company’s customer portal. Every day, several employees check the mailbox and route emails to the right departments or contacts. This mailbox also receives notifications or wrongly delivered emails. The admin wants to assign a few employees to clean up the mailbox but does not want them to be able to read encrypted messages sent from the company customer portal. To do this, the admin runs: