Transport rule for encrypted messages

Frequent Contributor

I'm trying to configure a mail flow/transport rule in Exchange Online to add a banner to incoming messages that are encrypted. During testing, the rule does not get triggered, even though the received message has an Outlook notification that the message is encrypted. My rule is using the "if message type is encrypted" condition to add a disclaimer (prepend). Does anyone know how this can successfully be achieved?

7 Replies

@Dan Snape Hi Dan,


Can you Run Get-TransportRule -Identity "name of transport rule" | FL and share here (pls hide sensitive or confidential information including domain name. 

Also , have you enforced the Transport Rule at the end of Transport rule.


Cheers !

Ankit Shukla


best response confirmed by Dan Snape (Frequent Contributor)

Modifying the content on an encrypted message is not supported, as detailed for example here:

We currently have a rule that is prepending "EXT:" to the subject line of all messages from outside the organisation via an Exchange Online transport rule. This is also occurring on encrypted messages (coming from an external recipient also in Exchange Online). Is there any way I can create a condition to detect these encrypted messages and use this as an exclusion for this transport rule? I've tried using "if message type is encrypted" and if "X-MS-Exchange-CrossTenant-TransportEncryption-OmeV2LinkUrl' header contains "."" but with no success.

Even better I could create a separate rule to tag these messages with "Encrypted:" and bypass the above rule.

Depends on the type of encryption, how exactly are the messages being generated? RMS? OME? S/MIME? 

@Vasil MichevDoing some more digging into this, transport decryption is enabled by default in Exchange Online and set to "Optional" so transport rules can in fact read messages protected using AAD RMS. I've tested and this works fine (a disclaimer is added successfully to these messages). So my mistake was thinking that the "encrypted" message type also referred to these types of messages, when in fact it only refers to S/MIME protected messages.

I now need to find a condition I can use in a transport rule that can detect messages that have AAD RMS protection applied to it. We are using the "Encrypt" option in Outlook to do the protection which I understand uses the new OME, which uses AAD RMS (but I may be wrong)

I think I've figured it out. Looks like the message type 'Permission controlled' deals with these type of messages, and I'm able to do exactly what I need using this as a condition in the transport rule.