Aug 04 2019 06:41 PM
Aug 04 2019 06:41 PM
I'm trying to configure a mail flow/transport rule in Exchange Online to add a banner to incoming messages that are encrypted. During testing, the rule does not get triggered, even though the received message has an Outlook notification that the message is encrypted. My rule is using the "if message type is encrypted" condition to add a disclaimer (prepend). Does anyone know how this can successfully be achieved?
Aug 05 2019 12:17 AM
@Dan Snape Hi Dan,
Can you Run Get-TransportRule -Identity "name of transport rule" | FL and share here (pls hide sensitive or confidential information including domain name.
Also , have you enforced the Transport Rule at the end of Transport rule.
Aug 05 2019 10:07 AMSolution
Modifying the content on an encrypted message is not supported, as detailed for example here: https://docs.microsoft.com/en-us/previous-versions/office/exchange-server-2010/bb124703(v=exchg.141)...
Aug 08 2019 09:27 PM
We currently have a rule that is prepending "EXT:" to the subject line of all messages from outside the organisation via an Exchange Online transport rule. This is also occurring on encrypted messages (coming from an external recipient also in Exchange Online). Is there any way I can create a condition to detect these encrypted messages and use this as an exclusion for this transport rule? I've tried using "if message type is encrypted" and if "X-MS-Exchange-CrossTenant-TransportEncryption-OmeV2LinkUrl' header contains "."" but with no success.
Even better I could create a separate rule to tag these messages with "Encrypted:" and bypass the above rule.
Aug 09 2019 02:18 AM - edited Aug 09 2019 02:25 AM
@Vasil MichevDoing some more digging into this, transport decryption is enabled by default in Exchange Online and set to "Optional" so transport rules can in fact read messages protected using AAD RMS. I've tested and this works fine (a disclaimer is added successfully to these messages). So my mistake was thinking that the "encrypted" message type also referred to these types of messages, when in fact it only refers to S/MIME protected messages.
I now need to find a condition I can use in a transport rule that can detect messages that have AAD RMS protection applied to it. We are using the "Encrypt" option in Outlook to do the protection which I understand uses the new OME, which uses AAD RMS (but I may be wrong)
Aug 09 2019 02:43 AM
I think I've figured it out. Looks like the message type 'Permission controlled' deals with these type of messages, and I'm able to do exactly what I need using this as a condition in the transport rule.