Forum Discussion
Force external users to use OME Portal (versus decryption in Outlook for PC or Outlook Web Access)
https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#ensure-all-external-recipients-use-the-ome-portal-to-read-encrypted-mail section of the Manage Office 365 Message Encryption article suggests that you can require external users to use the MS portal to view encrypted messages, but the instructions simply create a transport rule forcing ALL message to use the existing Template you have. The example create rules to use either "Encrypt" or "Do Not Forward" but that doesn't address the initial point of forcing users to use the portal. I feel like I'm missing a section that I can't find.
I think what I need is a custom template, but none of the template settings suggest an option that send the recipient a link to the OME portal and nothing more.
PS, I'm trying to do this because we have a 3rd party using Outlook 2007 and they can't view the encrypted messages. I'm hoping to work around this by not even giving them the option to try to decrypt in their thick Outlook.
AsTheCrowFlew Hello again Paul! As we both have spent quite some time on this conversation, how about making a "best response" to this reply to others for future reference?
1. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward per email. Do it manually.
2. To use OME standard setting and the default templates Encrypt-Only and Do Not Forward automatically not forcing a wrapper. Use EAC transport rules without adding custom branding.
3. To use OME standard setting with the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding selecting default 'OME Configuration'.
4. To use OME with additional configuration options and the default templates Encrypt-Only and Do Not Forward automatically forcing a wrapper. Use EAC transport rules with custom branding templates (requires Advanced OME).
5. To force all external recipients to use the OME portal use https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-office-365-message-encryption?view=o365-worldwide#use-a-custom-template-to-force-all-external-recipients-to-use-the-ome-portal-and-for-encrypted-email
Obviously one could use PowerShell and other configuration options, but I believe this covers the "basics" pretty good.
Let me know if you put up a UV and I will vote on it.
11 Replies
AsTheCrowFlew Hello, well when you're using the built-in OME your options are rather limited as you can only choose between Encrypt-Only and Do Not Forward. I haven't tried to set it up as you mentioned. But to answer your question it's the -ApplyRightsProtectionCustomizationTemplate parameter that will force the recipient to use the OME portal. I assume you only have one template? The default name is the "OME Configuration". You can adjust that one if you'd like to. Don't know how to use it for selective users as the -FromScope is either InOrganization or NotInOrganization.
ChristianBergstrom We currently encrypt messages on-demand with no transport rules (sends click Encrypt Only in their Outlook client when necessary). As expected, different recipients experience different behavior when receiving these messages. Some get a link (like gmail users), others try (successfully or not) to decrypt the message within their Outlook client. I'm looking for a way for everyone who is otherwise getting an encrypted message to get the link. In the example they provide (see below) it reads like it's going to encrypt every message, which is not what we want. I'll worry about selectively applying this logic to specific domains, but for right now I'd settle on a template that simply forces portal usage. You're right that I'm using basic OME. When I read the documentation on https://docs.microsoft.com/en-us/microsoft-365/compliance/ome-advanced-message-encryption?view=o365-worldwide the section about forcing portal use sends me right back to where I started. I'll happily pay more, to get more but that Advanced OME article doesn't reference exactly what we're trying to accomplish
New-TransportRule -name "<All outgoing mail>" -FromScope "InOrganization" -ApplyRightsProtectionTemplate "Encrypt" -ApplyRightsProtectionCustomizationTemplate "OME Configuration"
AsTheCrowFlew How did it go? Did you try the OME transport rules using EAC?
AsTheCrowFlew To be clear, we don't want to encrypt every message, we just want to force the messages that are encrypted to be viewed through the portal. More accurately, we want to force users of a particular domain to use the portal (but we can tackle that separately).
