SOLVED

Can Exchange Online Protection check for TLS before forcing encryption

%3CLINGO-SUB%20id%3D%22lingo-sub-283749%22%20slang%3D%22en-US%22%3ECan%20Exchange%20Online%20Protection%20check%20for%20TLS%20before%20forcing%20encryption%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283749%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20this%20is%20possible%20in%20Iron%20Port%20but%20not%20sure%20if%20EOP%20can%20handle%20this%20scenario%2C%20so%20asking%20for%20others%20opinions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Iron%20Port%2C%20you%20can%20setup%20rules%20to%20say%20%22If%20this%20email%20contains%20DLP%20data%2C%20check%20for%20TLS%20delivery.%20If%20email%20is%20being%20sent%20with%20TLS%20-%26gt%3B%20do%20not%20force%20message%20encryption.%20If%20email%20is%20not%20being%20sent%20with%20TLS%20-%26gt%3B%20Force%20message%20encryption.%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20EOP%20execute%20similar%20functionality.%20Essentially%20what%20I%20am%20looking%20for%20is%20whether%20not%20EOP%20is%20smart%20enough%20to%20only%20use%20OME%20when%20TLS%20is%20not%20available.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-283749%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEncryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EForced%20TLS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIron%20Port%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMessage%20Encryption%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOME%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etls%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-283847%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20Exchange%20Online%20Protection%20check%20for%20TLS%20before%20forcing%20encryption%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-283847%22%20slang%3D%22en-US%22%3E%3CP%3EAfaik%20no.%20You%20can%20certainly%20put%20an%20action%20to%20force%20TLS%20(the%20%22require%20TLS%22%20action%20or%20by%20routing%20through%20a%20connector)%2C%20but%20there%20is%20no%20such%20%22fallback%22%20option.%20In%20any%20case%2C%20TLS%20and%20OME%20are%20quite%20different%2C%20if%20you%20need%20the%20message%20to%20be%20viewable%20by%20specific%20recipients%20only%20you%20should%20always%20force%20OME.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I know this is possible in Iron Port but not sure if EOP can handle this scenario, so asking for others opinions. 

 

In Iron Port, you can setup rules to say "If this email contains DLP data, check for TLS delivery. If email is being sent with TLS -> do not force message encryption. If email is not being sent with TLS -> Force message encryption." 

 

Can EOP execute similar functionality. Essentially what I am looking for is whether not EOP is smart enough to only use OME when TLS is not available. 

1 Reply
Highlighted
Best Response confirmed by Tom Gould (Contributor)
Solution

Afaik no. You can certainly put an action to force TLS (the "require TLS" action or by routing through a connector), but there is no such "fallback" option. In any case, TLS and OME are quite different, if you need the message to be viewable by specific recipients only you should always force OME.