Product Feedback for Advanced Message Encryption

Copper Contributor

Hi there, I've just evaluated Advanced Message Encryption for Exchange Online  so thought I would feedback my thoughts. It's a good product if your only goal is to guarantee that emails are encrypted. However if your goal is to limit data breaches, there are two minor features missing which significantly limit its usefulness:-


  • It's not possible to revoke encrypted emails* sent to Microsoft tenanted email accounts (basically almost everyone), since they are displayed inline in Outlook clients, rather than using a link-based experience (where the recipient is required to sign in to the OME portal to view the message).  *This applies to emails encrypted In Outlook by selecting the Encrypt drop down menu, or by applying a Sensitivity Label.


  • It's not possible for the user (or an admin) to query whether a sent link-based encrypted email has been read or not by the recipient, and if so at what date and time.


These two features are likely easy to implement, and would make this product much more useful. End users would be able to rectify their own accidental email data breaches, for example forgetting to use the BCC field, or fat-fingering the Outlook To field autocomplete and selecting the wrong recipient. I understand that products such as Mimecast and Egress Protect already have these features.


Being able to reliably revoke an email, and know for sure whether it was accessed or not by the recipient (and prove so), is the difference between being legally required to report a breach to your region's data regulator or not.


I understand that some organisations may have the priority of an easy user experience, so would want to keep the encrypted message inline in Outlook, but for those whose priority is data breach minimisation, being able to switch this off and use the link-based experience for all recipients would be very useful. I understand that it's possible to setup a transport rule to force recipients to use the OME portal, but this only works if you encrypt *all* of your organisation's messages, rather than those the user has selected to encrypt.


If this feature became available I would have no hesitation to roll it out organisation-wide.

6 Replies

@mikedoneghan Hello, just gonna add my two cents.


Office Message Encryption is a great built-in encryption tool for emails with the options Encrypt-only and Do Not Forward. That's kind of what you can do with, and only use the default OME template.


Now I haven't worked with Advanced OME but here you have more possibilities with branding/templates. You can use multiple and specify more granular options, and not all email have to be encrypted. I assume you've looked in the EXO admin center and played around with possible scenarios as which custom branding template to use and apply O365 Message Encryption or not? And as you mention, you can revoke access in some scenarios. But when you use custom branding you're using the wrapper all the time, hence more secure as the recipient needs to access to OME portal and then you have the possibility to revoke access and set expiration date. Bear in mind that revoke and recall are different things.


The docs have several articles about OME and Advanced OME, perhaps you've already browsed through them but I recommend you go there and have look.


If you want to use a more secure and governance approach you shouldn't look at OME really. But instead DLP and sensitivity labels. You can revoke with the latter if using the unified client. As an admin you always have the possibility. For these two tools you also have the audit log where you can find things like SensitivityLabeledFileOpened

@ChristianJBergstrom Many thanks for your response. I've played around with Advanced Message Encryption custom branding templates, and it seems that the Do not Forward and Encrypt options only use the standard OME template, so you can't force a link-based experience with these. However it is possible to create a rule to use a custom template which forces a link-based experience, but this only works if the transport rule is for all emails sent in the organisation are to be encrypted, which we don't want. This Tech Community article sheds some light on this.


You mentioned using DLP and sensitivity labels, however I have already setup a sensitivity label and get the same behaviour as if the Encrypt option were used, i.e. it only uses a link-based experience if all emails are encrypted by a transport rule, and not selectively based on the sensitivity label being used.


If you've managed to implement sensitivity label(s) which allows a link-based experience (thus allowing revocable emails) for *all* (including Office 365 / recipients, and which doesn't force every email to be encrypted, then I'd be interested to hear how you've achieved that.


You mentioned the unified client, I had to look that up. I read that Microsoft are planning on deprecating Office Apps and using only OWA. So are you referring to OWA being the unified client? If so I think you can only revoke emails using OWA anyway. 

Regarding SensitivityLabeledFileOpened, is this a variable to detail whether an email has been read, or is it only for an attached file?



@mikedoneghan Wow, many questions. You know I have a day job right? ;) As with the previous conversation from a year ago, which you linked to, I believe I did some deeper testing and ended with a reply from my OME findings (my old account).


Just to give you an example.


I used this right now and the wrapper showed up in my Outlook client (M365 desktop app). As I don't have Advanced OME I cannot use other branding than default OME Configuration. You on the other hand can choose multiple (if created) by clicking on the OME Config link, and the Encrypt link, and add other conditions and combine them.




If using sensitivity labels you don't have to go here. Those were previously named AIP labels/templates. OME is simply a small part of "AIP" using the rights management feature for the email/attachment. Sensitivity labels are all data everywhere, not only email.


You should instead work with your organization so the business classifies your data and from those results IT sets up sensitivity labels and label policies which you publish to your users apps, configuring permissions for them or letting them decide themselves, enforce in Outlook or Office apps (Word, PowerPoint, Excel). Add Data Loss Prevention where you have so many settings which can even prevent your users from accidentally send emails or documents to the wrong recipient using policy tips and policy notifications.


I meant the downloadable "AIP" unified labeling client. And I haven't heard a thing about discontinuing M365 apps.


As for you final question perhaps this will answer it How to Report Audit Events Generated for Sensitivity Labels - Office 365 for IT Pros (office365itpro... 


@ChristianJBergstrom Thanks for your support! I have been tasked with setting up sensitivity labels and policies for our organisation in Office 365, with a view to using them in Outlook, as well as for all files in SharePoint as well. However note that I also tested the transport rule you quoted using a sensitivity label (applied from within OWA), and I'm stuck with the same problem of it encrypting all sent emails (with a link-based experience) rather than only those with the sensitivity label applied.


I've been trying to get the Unified Labeling Client you mentioned working so I can try this from the Outlook app (in case it has a different behaviour which does what I want, i.e. display a link-based experience for only each email sent using a sensitivity label),  but I could do with a hand as no labels are showing. 


I've created a label:-


And also created a policy to publish the label to myself (without any policy settings though as I don't want to force anything yet) :-




Also here are my licenses:-



However no labels are showing in the Unified Labelling Client:-



But the sensitivity label does show in OWA though:-



Am I missing a step here? The Unified Labelling Client admin guide doesn't to mention anything else which needs doing. There doesn't seem to be any other way to configure it.


All the best,






Hello! I honestly think it’s better if you ask for assistance using the official support. Not my intention if that sounds impolite in any way. It’s just too complex and time consuming as a community member.
Will do, many thanks.